Investigations Involving the Internet and Computer Networks

JAN. 07U.S. Department of JusticeOffice of Justice ProgramsNational Institute of JusticeSpecialREPORTInvestigations Involving the Internetand Computer Networkswww.ojp.usdoj.gov/nij

U.S. Department of JusticeOffice of Justice Programs810 Seventh Street N.W.Washington, DC 20531Alberto R. GonzalesAttorney GeneralRegina B. SchofieldAssistant Attorney GeneralDavid W. HagyDeputy Assistant Attorney General, Office ofJustice Programs and Principal Deputy Director,National Institute of JusticeThis and other publications and products of the National Instituteof Justice can be found at:National Institute of Justicewww.ojp.usdoj.gov/nijOffice of Justice ProgramsPartnerships for Safer Communitieswww.ojp.usdoj.gov

JAN. 07Investigations Involving the Internet andComputer NetworksNCJ 210798

David W. HagyDeputy Assistant Attorney General, Office of Justice Programs and Principal Deputy Director, National Institute of Justice This document is not intended to create, does not create, and may not be relied upon to createany rights, substantive or procedural, enforceable by law by any party in any matter civil or criminal.Opinions or points of view expressed in this document represent a consensus of the authorsand do not necessarily reflect the official position or policies of the U.S. Department of Justice.The products, manufacturers, and organizations discussed in this document are presented forinformational purposes only and do not constitute product approval or endorsement by the U.S.Department of Justice.This document was prepared under Interagency Agreement #2003–IJ–R–029 between theNational Institute of Justice and the National Institute of Standards and Technology, Office ofLaw Enforcement Standards.The National Institute of Justice is a component of the Office of Justice Programs, which alsoincludes the Bureau of Justice Assistance, the Bureau of Justice Statistics, the Office ofJuvenile Justice and Delinquency Prevention, and the Office for Victims of Crime.Photo CreditsCover: Getty Images and PhotodiscText: Photodisc, Getty Images, and Digital Stock

ForewordAs the use of the Internet and othercomputer networks has grown rapidlyin recent years, so has the opportunityfor electronic crime. Unlawful activitycan be committed or facilitated online.Criminals can trade and share information,mask their identity, identify and gatherinformation on victims, and communicatewith co-conspirators. Web sites, electronicmail, chat rooms, and file sharing networkscan all yield evidence in an investigation ofcomputer-related crime.This report was developed by the TechnicalWorking Group for the Investigation ofHigh Technology Crimes and is intendedto be a resource for individuals responsiblefor investigations involving the Internetand other computer networks. It is oneof a series of electronic crime investigationdocuments already published or indevelopment by the National Institute ofJustice (NIJ). The guides are developed bytechnical working groups that consist ofpractitioners and subject matter expertsbrought together by NIJ to help lawenforcement agencies and prosecutorsdeal with the growing volume and complexityof electronic crime.The series of guides will discuss the investigationprocess from the first responder,to the laboratory, to the courtroom.Specifically, the guides will address:■ Electronic crime scene investigation byfirst responders.■ Forensic examination of digital evidence.■ Internet and network investigations.■ Investigative uses of technology.■ Courtroom presentation of digitalevidence.■ Development of a digital evidenceforensic unit.The recommendations presented in thisguide are not mandates or policy directivesand may not represent the only correctcourse of action. The guide is intended tobe a resource for those who investigatecrimes related to the Internet and othercomputer networks. It does not discussall of the issues that may arise in theseinvestigations and does not attempt tocover traditional investigative procedures.NIJ extends its appreciation to the membersof the Technical Working Group forthe Investigation of High TechnologyCrimes for their involvement. We commendthem for the long hours of work required toprepare this report and recognize that theydid this while still performing their existingduties with their home offices or agencies.Their commitment of time and expertisewas invaluable to the success of the project.David W. HagyDeputy Assistant Attorney General, Office of Justice Programs and Principal Deputy Director, National Institute of Justice iii

Carlton FitzpatrickChief, Financial Investigations BranchFederal Law Enforcement Training CenterU.S. Department of Homeland SecurityGlynco, GeorgiaGrant GottfriedMITREMcLean, VirginiaRonald J. GreenSenior Vice PresidentCorporate Information SecurityBank of AmericaCharlotte, North CarolinaGerald GriffinDirectorForensic and Technical ServicesU.S. Postal Inspection ServiceU.S. Postal ServiceDulles, VirginiaWilliam HarrodDirector, Investigative ResponseTruSecureHerndon, VirginiaDave HeslepSergeantMaryland State PoliceTechnical Investigation DivisionColumbia, MarylandDarrell JohnsonCaptainKnox County Sheriff’s OfficeKnoxville, TennesseeKevin MansonCoordinatorInternet Investigations Training ProgramsFinancial Fraud InstituteFederal Law Enforcement Training CenterGlynco, GeorgiaMichael McCartneySpecial InvestigatorNew York State Attorney General’s OfficeBuffalo, New YorkBill MoylanDetectiveNassau County Police DepartmentWestbury, New YorkThomas MushenoForensic ExaminerForensic Audio, Video and Image AnalysisFederal Bureau of InvestigationEngineering Research FacilityQuantico, VirginiaTim O’NeillHewlett-Packard Information SecurityRoseville, CaliforniaScott R. PatronikChief, Division of Technology andAdvancementErie County Sheriff’s OfficeBuffalo, New YorkJim Riccardi, Jr.Electronic Crime SpecialistCyberScience LabNational Law Enforcement andCorrections Technology Center–NortheastRome, New YorkRebecca RichardsonNetwork AdministratorMontana State University–BillingsBillings, MontanaAlan RothPostal InspectorForensic and Technical ServicesU.S. Postal ServiceDulles, VirginiaJonathan J. RuschSpecial Counsel for Fraud PreventionCriminal Division, Fraud SectionU.S. Department of JusticeWashington, D.C.Kim SchafferNew Technologies, Inc.Gresham, Oregonvi

Michael SchirlingLieutenantBurlington PoliceVermont Internet Crimes Task ForceBurlington, VermontGreg SchmidtComputer ForensicsFrisco, TexasHoward SchmidtChief Security OfficerEbay, Inc.Campbell, CaliforniaRuss SkinnerSergeantMaricopa County Sheriff’s OfficeComputer Crimes DivisionPhoenix, ArizonaFred SmithAssistant United States AttorneyAlbuquerque, New MexicoMike WeilHuron Consulting GroupChicago, IllinoisCraig WilsonDetective SergeantKent Police Computer Crime UnitUnited KingdomFacilitatorsSusan BallouProgram Manager for Forensic SciencesOffice of Law Enforcement StandardsNational Institute of Standards andTechnologyGaithersburg, MarylandAnjali R. SwientonPresident & CEOSciLawForensics, Ltd.Germantown, Marylandvii

ContentsForeword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Technical Working Group for the Investigation of High Technology Crimes .........................................................vChapter 1. Introduction and Investigative Issues ...........................1Chapter 2. Tracing an Internet Address to a Source ........................5Chapter 3. Investigations Involving E-Mail. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Chapter 4. Investigations Involving Web Sites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Chapter 5. Investigations Involving Instant Message Services, Chat Rooms, and IRC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Chapter 6. Investigations Involving File Sharing Networks . . . . . . . . . . . . . . . 49 Chapter 7. Investigations of Network Intrusion/Denial of Service . . . . . . . . . . 55 Chapter 8. Investigations Involving Bulletin Boards, Message Boards, Listservs, and Newsgroups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Chapter 9. Legal Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73 Appendix A. Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 Appendix B. Domain Name Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89 Appendix C. Accessing Detailed Headers in E-Mail Messages. . . . . . . . . . . . . 91 Appendix D. File Sharing Investigative Suggested Checklist . . . . . . . . . . . . . . 93 Appendix E. Sample Subpoenas and Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 Appendix F. Examples of Potential Sources of Evidence in Network Investigations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Appendix G. Sample Language for Preservation Request Letters Under 18 U.S.C. § 2703(f). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109Appendix H. Sample Language for 2703(d) Court Order and Application. . . 111Appendix I.Technical Resources List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 Appendix J. Legal Resources List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137Appendix K. List of Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 ix

Chapter 1. Introduction andInvestigative IssuesNote: Terms that are defined in the glossary appear in bold italics on their first appearancein the body of the report.This report is intended to be a resource for individuals responsible for investigationsinvolving the use of the Internet and other computer networks. It does not encompass acomplete discussion of all the issues surrounding the topics in an investigation and doesnot attempt to provide guidance on traditional investigative procedures.The use of the Internet and other computer networks has seen explosive growth. As aresult, any crime could involve devices that communicate through the Internet or througha network.The investigator should be aware that criminals may use the Internet for numerousreasons, including—■ Trading/sharing information (e.g., documents, photographs, movies, sound files, textand graphic files, and software programs).■ Concealing their identity.■ Assuming another identity.■ Identifying and gathering information on victims.■ Communicating with co-conspirators.■ Distributing information or misinformation.■ Coordinating meetings, meeting sites, or parcel drops.Investigations vary in scope and complexity. Evidence of the crime may reside on electronicdevices in numerous jurisdictions and may encompass multiple suspects and victims.Complex evidentiary issues are frequently encountered in Internet and networkinvestigations. Sources of information needed to investigate the case may be locatedanywhere in the world and may not be readily available to the investigator, such as—■ Victims and suspects and their computers.■ Data on workstations/servers/routers of third parties such as businesses, governmententities, and educational institutions.■ Internet Service Provider records.1

SPECIAL REPORT / JAN. 07Digital evidence is fragile and can easily be lost. For example:■ It can change with usage.■ It can be maliciously and deliberately destroyed or altered.■ It can be altered due to improper handling and storage.For these reasons, evidence should be expeditiously retrieved and preserved. Also considerthat when investigating offenses involving the Internet, time, date, and time zoneinformation may prove to be very important. Server and computer clocks may not beaccurate or set to the local time zone. The investigator should seek other information toconfirm the accuracy of time and date stamps.At the scene, the best judgment of the investigator (based on training, experience, andavailable resources) will dictate the investigative approach. In some cases a forensicexamination of the computer will be needed. The investigator should be aware that anyaction taken on the computer system might affect the integrity of the evidence. Only inexigent circumstances (e.g., imminent threat of loss of life or serious physical injury)should an investigator attempt to gain information directly from a computer on the scene.Any action taken should be well documented.In some cases it may be sufficient to collect information from the complainant (and computer),document the incident, and forego a forensic examination of the complainant’scomputer. However, if a suspect’s computer is identified and recovered, in most situationsit should be submitted for forensic examination to preserve the integrity of theevidence.Although this special report focuses on the technical portion of these investigations,it is important to remember that a traditional investigative process must be followed:Witnesses must be identified and interviewed, evidence must be collected, investigativeprocesses should be documented, and chain-of-custody and the legal process must befollowed. In addition, the investigator should consider the following:■ Was a crime committed?■ Who has jurisdiction?■ What resources are needed to conduct the investigation?■ Are sufficient resources available to support the investigation?■ What other resources are available?■ Are there legal issues for discussion with the prosecutor?2

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSChapters 2 and 9 provide information that may apply to any Internet or network investigation.The remaining chapters address investigative, technical, and legal issues related tospecific types of high-technology crimes.For further detailed information regarding the preservation and documentation of digitalcrime scenes, refer to the following National Institute of Justice publications:Electronic Crime Scene Investigation: A Guide for First Responders(www.ojp.usdoj.gov/nij/pubs-sum/187736.htm).Forensic Examination of Digital Evidence: A Guide for Law Enforcement(www.ojp.usdoj.gov/nij/pubs-sum/199408.htm).For further information regarding handling of digital evidence and presenting it effectivelyin court, refer to:Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors(www.ojp.usdoj.gov/nij/pubs-sum/211314.htm).3

Chapter 2. Tracing an InternetAddress to a SourceJust as every house has an address, every computer connected to the Internet has anaddress. This is referred to as an Internet Protocol (IP) address. This chapter explains howIP addresses are assigned and how to trace the addresses to their source.The investigator may also be presented with other types of addresses. Some examplesof these addresses are e-mail addresses and World Wide Web addresses.TypeE-mail addressWeb site addressExamplesomeone@nist.govwww.nist.govInternet Protocol 129.6.13.23addressAll of these may be traced to provide investigative leads. For more information on e-mailand Web site addresses, refer to the specific chapters. Before tracing an IP address, anunderstanding of the following concepts is useful.Internet Protocol addressEvery device involved in communicating on the Internet requires an IP address. 1 An IPaddress is a series of four numbers ranging from 0 to 255, separated by periods. Theaddress identifies the specific network and device. An example of an IP address is:129.6.13.23A common analogy is to compare an IP address to an apartment address. (See exhibit 1.)1For example, devices may be computers, routers, personal digital assistants (PDAs), etc.5

SPECIAL REPORT / JAN. 07Exhibit 1. IP address and apartment addressMajor providerLocal providerNetworkDevice IP Address129.6.13.23StreetBuildingFloorApartment Unit Address16 Maple Apt. #2The IP address does not denote a physical location of the device at the time it isconnected to the Internet.IP addressing uses four decimal-separated numbers, which allows for a total of 256^4 or1,099,511,627,776 unique addresses. This addressing scheme is being expanded toaccommodate additional Internet usage. Regardless of the addressing scheme used, themethod of tracing the IP address will likely remain the same.6

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSPrivate IP addressThree groups of IP addresses are specifically reserved for use by any private network andare not seen on the public Internet. Information for these IP addresses comes from theowner of the network. The ranges are:10.0.0.0 to 10.255.255.255172.16.0.0 to 172.31.255.255192.168.0.0 to 192.168.255.255Internet Service ProvidersInternet Service Providers (ISPs) may be commercial vendors or organizations, such as abusiness or government entity. They may reserve blocks of IP addresses that can beassigned to its users.ISPs may log the date, time, account user information, and ANI (Automatic NumberIdentification) or caller line identification at the time of connection. If logs are kept, theymay be kept for a limited time depending on the established policy of the ISP. Currently,no general legal requirement exists for log preservation; therefore, some ISPs do notstore logs. In the event that particular logs are necessary for the investigation, preparingand submitting a preservation letter as described in chapter 9 are important.Dynamic and static IP addresses“Dynamic” IP addresses are temporarily assigned from a pool of available addresses registeredto an ISP. These addresses are assigned to a device when a user begins an onlinesession. As a result, a device’s IP address may vary from one logon session to the next.“Static” IP addresses are permanently assigned to devices configured to always havethe same IP address. A person, business, or organization maintaining a constant Internetpresence, such as a Web site, generally requires a static IP address.Note: The date and time an IP address was assigned must be determined to tie it to aspecific device or user account. The ISP may maintain historical log files relating thesedynamically assigned IP addresses back to a particular subscriber or user at a particular time.PacketData sent over the Internet are divided into packets that are routed through the Internetand reassembled at the destination. When information such as files, e-mail messages,HyperText Markup Language (HTML) documents, or Web pages are sent from one placeto another on a network, the network operating system divides the information intochunks of an efficient size for routing. Each of these packets includes the address of thedestination. The individual packets for the information being routed may travel differentroutes through a network. When they have all arrived, they are reassembled into theoriginal file.7

SPECIAL REPORT / JAN. 07Note: Capturing packets is beyond the scope of this special report. However, records of apacket’s transmission through a network device may be retained within the logs of thatdevice. It may be necessary to work with the network administrator to obtain these log files.Network devices and servicesNetwork devices and services include routers, 2 firewalls, 3 proxy servers/gateways, 4Network Address Translation (NAT), 5 and Dynamic Host Configuration Protocol(DHCP). 6 By design, these devices and services may or may not have a logging featurethat captures source and destination IP information, login user name, and date and timeof logins. Some or all of these network devices and services may alter or mask the truesource or destination IP address. It may be necessary to work with the network administratorto determine the true source or destination IP address.Domain Name System serversDomain Name System (DNS) servers are the “phonebooks” of the Internet. They maintaindirectories that match IP addresses with registered domains and resolve the textthat people understand (the domain name) into a format that devices understand (the IPaddress).In exhibit 2, My PC sends the request for the location of “www.nist.gov.” The DNS serverresponds with the assigned IP address of “129.6.13.23.” My PC then requests to displaydata from IP address 129.6.13.23, the computer on the Internet that hosts the nist.govWeb site.2A router is a device that determines the next network point to which a data packet should be forwarded to reach its destination. Therouter is connected to at least two networks and determines which way to send each data packet based on its current understanding ofthe state of the networks to which it is connected.3A firewall is a set of related programs that protects the resources of a private network from unauthorized users. A firewall filters allnetwork packets to determine whether to forward them to their destination.4A proxy server/gateway are devices that pass traffic between networks. Typically, a gateway physically sits at the perimeter of aninternal network to the Internet. A proxy server may contain cached pages of previously visited Web sites.5Network Address Translation (NAT) is a service that allows computers on a private network to access the Internet by translating aprivate (reserved) IP address to a public (Internet routable) IP address. NAT modifies outgoing network packets so that the return addressis a valid Internet host, thereby protecting the private addresses from public view.6Dynamic Host Configuration Protocol (DHCP) is a service that automates the assignment of IP addresses on a network. DHCP assigns anIP address each time a computer is connected to the network. DHCP uses the concept of a “lease” or amount of time that a given IPaddress will be valid for a specific computer. DHCP can dynamically reassign IP addresses for networks that have a requirement for moreIP addresses than are available.8

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSExhibit 2. Domain Name System (DNS)ISP129.6.13.23 (www.nist.gov)Go to129.6.13.23Who iswww.nist.gov?DNSwww.nist.gov = 129.6.13.23My PCwww.nist.govis 129.6.13.23Registering domain namesA person or an organization can register a domain name as long as it is not already registered.Domain names are registered with the Internet Corporation for Assigned Namesand Numbers (ICANN), a nonprofit organization responsible for Internet address assignmentand domain name server management.Information required to register a domain name includes name, address, phone number,billing information, e-mail address, and technical and administrative contact information.In addition to this information, the date that a domain was registered may be availablefrom the registrar. Although this information may provide investigative leads, the investigatorshould be aware that the information originates from the person registering thedomain name and may be fictitious.Spoofing, masking, and redirectingAdvanced methods of obscuring actions on the Internet include hiding the IP address,pretending to be someone else, and sending traffic through another IP address. Thesemethods are commonly referred to as masking, 7 spoofing, 8 and redirecting. 9 Advancedtraining is required to investigate or identify when these actions have taken place.Therefore, even after completing legal process, traditional investigative methods may stillbe necessary to identify the end user. In some cases, masking, spoofing, or redirectingmay prevent the identification of the user.7IP masking is a method of hiding or obscuring the true source IP address.8IP spoofing is a method of impersonating another system’s IP address.9IP redirecting is a method of forwarding or routing Internet traffic to an obscured IP address.9

SPECIAL REPORT / JAN. 07Tracing an IP address or domain nameScenarioA citizen makes a claim that while surfing the Internet, he came across a Web site thathe believes should be looked at by law enforcement. The citizen provides the Web sitename of www.nist.gov.Step 1. Resolve domain nameThe first step is to resolve the domain name of www.nist.gov to an IP address. Manycommercial software tools are available to assist an investigator in resolving domainnames into IP addresses. In addition, many publicly available Web sites will resolvedomain names. Some of the more commonly used Web sites include the following:www.network-tools.comwww.samspade.orgwww.geektools.comwww.dnsstuff.comNote: The above sites contain more than one tool.The features and level of detail available from the above sites may differ. The commonutilities on these Web sites include the following:whoisnslookuptracerouteA utility that queries a database that includes domain names, IP addresses, and points ofcontact, including names, postal addresses, and telephone numbers.A utility that queries a domain name server for a particular name and provides the IPaddresses for a particular domain. Caution: The IP addresses may not be returned from avalidated source and therefore could be erroneous.A utility that attempts to trace the path a packet takes as it travels from one device to another.Traceroute can help to narrow down the geographic location of a particular device.Note: Investigators should be aware that inquiries made on these sites might be monitoredand recorded. It is important to conduct sensitive inquiries from a computer that isnot traceable back to the investigating agency.Step 2. Determine and record domain name registrationThe next step is to determine and record the domain name registration information. Thefollowing online resources can be used to obtain registration information:www.network-tools.comwww.samspade.orgwww.geektools.comwww.apnic.net (Asia)www.checkdomain.comwww.lacnic.netwww.ripe.net (Europe)www.whois.comwww.dnsstuff.com10

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSExhibit 3. Domain name registrationExhibit 3 shows the registration information for www.nist.gov and has resolved it to theIP address 129.6.13.23. The typical information provided includes—■ Registered owner’s name and address.■ Billing information.■ Administrative contact.■ Range of IP addresses associated with the domain.■ Technical contact information.11

SPECIAL REPORT / JAN. 07The listed contacts may provide additional information about the specific computer beingsought, including its location and the person designated to receive legal process.Note: The same process can be used to resolve an IP address to a domain name toobtain contact information.Where’s the evidence?Information can be found in numerous locations, including—■ User’s computer.■ ISP for the user.■ ISP for a victim and/or suspect.■ Log files contained on the victim’s and/or suspect’s—— Routers.— Firewalls.— Web servers.— E-mail servers.— Other connected devices.See exhibit 4 for a graphic representation of the information flow.Given an IP address and a date and time (including the time zone), most ISPs can identifythe registered user assigned to the IP address at the specific time, enabling the investigatorto request additional information. However, the investigator may need to use traditionalinvestigative methods to identify the person using the account at that time.Step 3. Provide legal service of processThe third step is to determine the appropriate parties to contact and/or serve legalprocess, depending on the facts of the investigation as discussed in subsequent chapters.Warrants, court orders, or subpoenas are typically required to release exact enduserinformation to law enforcement. Many of these requirements are governed by theElectronic Communications Privacy Act (ECPA) and other applicable Federal and Statelaws. A preservation letter may assist in preserving information until proper legal requirementscan be met. These requests should specify the IP address and the date and time,including the time zone. Be cognizant of the need for expeditious service of preservationletters under 18 USC § 2703(f) (appendix G). See chapter 9 for more details on legalrequirements and appendix H for sample language.Information that may be obtained from the ISP includes—■ Subscriber information such as the registered owner, address, and payment method.■ Transactional information such as connection times, dates, and IP address used.12

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSExhibit 4. Where to find information■ Content such as e-mail messages, data files, and stored programs.Some of the information used in tracing an IP address or end user may be obtained fromISPs or network administrators. This information typically includes account information,e-mail address information, IP address, and domain name. It may or may not containinformation about the owner or user. Based on the information received, additional investigationmay be required. Additional subpoenas, search warrants, court orders, andpreservation letters may need to be served on entities identified by the previous legalprocess. For example, if the original IP address resolves to “BIG-ISP.com,” legal processis issued to BIG-ISP.com to identify the user of a particular IP address at a particular dateand time. The return identifies “Medium-ISP.com” as the user of that IP address. (A commonpractice among smaller ISPs is to lease blocks of IP addresses from larger ISPs.) Atthis point, additional legal process must be issued to “Medium-ISP.com.” This processcontinues until the information identifies the user logged in on that particular IP addressfor a specific date and time or until all investigative leads are exhausted.Sample language. When drafting legal process, the following sample language may beuseful. However, the ISP may require other specific language.13

SPECIAL REPORT / JAN. 07■ ISP account information: “Any and all subscriber information relating to the accountof (Name) including but not limited to user identity, user account information, screennames, account status, detailed billing records, e-mail account information, caller lineidentification (ANI), account maintenance history notes, and IP history from (Date) topresent.”■ E-mail address information: “Any and all subscriber information relating to the individualwho registered and maintains the e-mail address of (JonDoe@Email.com) includingbut not limited to user identity, user account information, screen names, account status,detailed billing records, e-mail account information, caller line identification (ANI),account maintenance history notes, and IP history from (Date) to present.”■ IP address information: “Any and all subscriber information relating to the account ofthe individual who was assigned the IP address of (IP Address) on (Date) at (Time andTime Zone) and the IP address of (IP Address) for (Date) at (Date and Time Zone)including but not limited to user identity, user account information, screen names,account status, detailed billing records, e-mail account information, caller line identification(ANI), account maintenance history notes, and IP history from (Date) topresent.”■ Domain name information: “Any and all information relating to the identity of the individualwho registered and maintains the domain names of (www.xxxxxxxx.com) and(www.xxxxxxxx.org) including but not limited to all account information, billing recordsincluding credit card number or other payment information, user identity, IP history,and caller line identification.”■ Web page information: “All information on the individual who created and maintainsthe (ISP) Web page (Web page name) including but not limited to user identity, useraccount information, billing records, e-mail account information, caller line identification,usage logs, and IP history.”■ Telnet session providers: “Any and all IP history relating to Internet traffic of(xxxxx.net) and user logs of (xxxx.net’s) Telnet sessions for (Date) and (Date) includingbut not limited to user identity, user name, user commands issued, and user address.”■ Point of Presence (POP) information: “Any and all information relating to the(ANS.NET or other ISP) Point of Presence location that issued the IP (IP Address) on(Date/Time) including but not limited to dial-in access phone number, physical address,and (Telephone Company) to whom the dial-in access phone number is subscribed.”■ Outgoing telephone records: “Any and all information including but not limitedto subscriber information and billing information for the address of (Address ofSubscriber). Any and all information including, but not limited to subscriber informationand billing information for the telephone number of (Telephone Number). Include alisting of any local outgoing calls made from the above address. Include above informationfor any and all telephone numbers listed for the above address for the periodof (Date/Time).”14

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSSummaryAll communications on the Internet and across networks rely on an IP address to reachtheir destination. The key to investigating crimes relating to the Internet and networks isto identify the originating IP address and trace it to a source. These skills enable aninvestigator to locate additional sources of evidence, corroborate victim and witnessstatements, and potentially locate a suspect.15

Chapter 3. Investigations InvolvingE-MailE-mail can be a starting point or a key element in many investigations. E-mail is the electronicequivalent of a letter or a memo and may include attachments or enclosures. Likepaper or postal mail, an e-mail may represent evidence in many types of investigations.No longer exclusive to desktop computers, e-mail is now readily exchanged using manyportable devices such as cell phones, personal digital assistants (PDAs), and pagers.How e-mail worksE-mail can be generated by different devices and methods but, most commonly, a usercomposes the message on her own computer and then sends it off to her mail server. Atthis point the user’s computer is finished with the job, but the mail server still has todeliver the message. A mail server is like an electronic post office—it sends and receiveselectronic mail. Most of the time, the mail server is separate from the computer wherethe mail was composed. (See exhibit 5.)Exhibit 5. Generating e-mailStep 1Mail serverStep 2The sender’s mail server delivers the message by finding the recipient’s mail server andforwards the message to that location. The message then resides on that second mailserver and is available to the recipient. The software program being used to compose andread the e-mail message is sometimes referred to as the e-mail client. Depending onhow the recipient’s e-mail client is configured, a copy of the message could be found onthe recipient’s computer, another electronic device such as an all-in-one telephone or17

SPECIAL REPORT / JAN. 07Exhibit 6. Delivering e-mailMail serverNetworkUncle Bob usesRelayingINTERNETRelayingEmployeeE-mail serverE-mail serverPDA, and/or the mail server or its backup tapes. A copy of the message may also befound on the sender’s computer (in the “sent” box or trash), or on the sender’s mail serveror its backup tapes. (See exhibit 6.)As the message travels through the communications network, an abbreviated record ofthe e-mail’s journey is recorded in an area of the message called the header. As the messageis routed through one or more mail servers, each server adds its own information tothe message header. The investigator may be able to identify Internet Protocol (IP)addresses from the header and use this information to determine the sender of themessage using techniques discussed in chapter 2.Basic components of an e-mailVarious methods are used for creating and sending an e-mail message. The appearanceof an e-mail message depends on the device or software program used. However, amessage typically has a header and a body and may also have attachments. The e-mailheader contains addressing information and the route that an e-mail takes from sender toreceiver. The body contains the content of the communication. Attachments may be anytype of file such as pictures, documents, sound, and video.When initially viewing an e-mail message, only a small portion of the e-mail header maybe displayed. This usually is information put into the message by the sender, as representedin exhibit 7.18

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSExhibit 7. E-mail componentsHeaderAttachmentBodyHowever, the e-mail message depicted in exhibit 7 does not display all of the availableinformation. Additional information associated with the e-mail may be obtained by lookingat the header in more detail, which can be done in different ways depending on thesoftware program being used. See appendix C for instructions on how to reveal detailedheader information for common e-mail clients. Be aware that not all e-mail clients are listed,and updates to the clients may change the method of obtaining the detailed headerinformation.The journey of the message can usually be reconstructed by reading the e-mail headerfrom bottom to top. As the message passes through additional mail servers, the mailserver will add its information above the previous information in the header. One ofthe most important pieces of information for the investigator to obtain from thedetailed header is the originating IP address. In the example in exhibit 8, theoriginating IP address is [165.247.94.223]19

SPECIAL REPORT / JAN. 07Exhibit 8. E-mail header12.11.10.9.8.7.6.5.4.3.2.X-Message-Info: JGTYoYF78jEv6iDU7aTDV/xX2xdjzKcHReceived: from web11603.mail.yahoo.com ([216.136.172.55]) by mc4­f4 with Microsoft SMTPSVC(5.0.2195.5600);Mon, 8 Sep 2003 18:53:07 -0700Message-ID: 20030909015303.27404.qmail@web11603.mail.yahoo.comReceived: from [165.247.94.223] by web11603.mail.yahoo.com viaHTTP; Mon, 08 Sep 2003 18:53:03 PDTDate: Mon, 8 Sep 2003 18:53:03 -0700 (PDT)From: John Sender Subject: The Plan!To: RecipientName_1@hotmail.comMIME-Version: 1.0Content-Type: multipart/mixed; boundary=“0-2041413029­1063072383=:26811”Return-Path: sendersname2003@yahoo.comX-OriginalArrivalTime: 09 Sep 2003 01:53:07.0873 (UTC)FILETIME=[1DBDB910:01C37675]1.--0-2041413029-1063072383=:26811Content-Type: multipart/alternative; boundary="0-871459572­1063072383=:26811"--0-871459572-1063072383=:26811Content-Type: text/plain; charset=us-asciiReceived the package. Meet me at the boat dock.See attached map and account numbersTo understand the parts of the e-mail header in exhibit 8, the header is reproduced belowwith a line-by-line description. Note that the e-mail header is composed of two generalareas, the envelope header and the message header.The envelope header contains information added to the header by the mail servers thatreceive the message during the journey. The “Received:” lines and the Message-ID lineare the main components of the envelope header and are generally more difficult tospoof. In the following example, lines 9 through 12 are part of the envelope header.The message header contains information added to the header by the user’s e-mailclient. This is generally user-created information and is the easiest to spoof. It containsthe To:, From:, Return-Path:, Subject:, Content-Type:, and the first Date and time. In thefollowing example, lines 2 though 8 are part of the message header.12. X-Message-Info: JGTYoYF78jEv6iDU7aTDV/xX2xdjzKcHX-headers are nonstandard headers and are not essential for the delivery of mail.The usefulness of the X-header needs to be explored with the Internet ServiceProvider (ISP).20

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKS11. Received: from web11603.mail.yahoo.com ([216.136.172.55]) by mc4-f4 withMicrosoft SMTPSVC(5.0.2195.5600); Mon, 8 Sep 2003 18:53:07 -0700 Received:This “Received” line is the last stamp that was placed in the header. It is placedthere by the last mail server to receive the message and will identify the mail serverfrom which it was received. Note that the date and time stamp is generated by thereceiving mail server and indicates its offset from UTC (-0700). In this example, themail server’s name is indicated. This can be accomplished by either the receivingserver resolving the IP address of the last mail server or the prior mail server broadcastingits name.10. Message-ID: 20030909015303.27404.qmail@web11603.mail.yahoo.comMessage-ID:A unique identifier assigned to each message. It is usually assigned by the firste-mail server and is a key piece of information for the investigator. Unlike theoriginating IP address (below), which can give subscriber information, the messageidcan link the message to the sender if appropriate logs are kept.9. Received: from [165.247.94.223] by web11603.mail.yahoo.com via HTTP; Mon,08 Sep 2003 18:53:03 PDTReceived:The bottom “Received” line identifies the IP address of the originating mail server. Itcould indicate the name of the server, the protocol used, and the date and time settingsof the server. Note the time zone information that is reported.CAUTION: If the date and time associated with the e-mail are important to the investigation,consider that this “Received” time recorded in the e-mail header comesfrom the e-mail server and may not be accurate.8. Date: Mon, 8 Sep 2003 18:53:03 -0700 (PDT)Date:This date is assigned by the sender’s machine and it may not agree with the e-mailserver’s date and time stamp. If the creation date and time of the e-mail are importantto the investigation, consider that the time recorded in the e-mail header comesfrom the sender’s machine and may not be accurate.7. From: John Sender From:This is information usually configured in the e-mail client by the user and may notbe reliable.21

SPECIAL REPORT / JAN. 076. Subject:The Plan!Subject:This is information entered by the user.5. To: RecipientName_1@hotmail.comTo:This is information entered by the user.4. MIME-Version: 1.0Content-Type: multipart/mixed; boundary=”0-2041413029-1063072383=:26811”The purpose of these two lines is to give the recipient’s e-mail client information onhow to interpret the content of the message.3. Return-Path: sendersname2003@yahoo.comReturn-Path:This is information usually configured in the e-mail client by the user and may notbe reliable.2. X-OriginalArrivalTime: 09 Sep 2003 01:53:07.0873 (UTC)FILETIME=[1DBDB910:01C37675]X-headers are nonstandard headers and are not essential for the delivery of mail.The usefulness of the X-header needs to be explored with the Provider ISP.1. --0-2041413029-1063072383=:26811E-mail client information; not relevant to the investigation.Once the IP addresses are identified in the header, the procedures outlined inchapter 2 can be used to trace the journey of the e-mail. Be aware that IP addressescan be created or spoofed in an attempt to hide the true identity of the sender.Time stampingInvestigators should be aware that when examining e-mail headers, times may not beconsistent. Date and time stamps related to the header should be scrutinized as thesetimes may be added by different servers in different parts of the world and different timezones and may not be consistent. In addition, clocks built into computer systems andpowered by batteries—especially those on personal computers—may not always beaccurately set or may not keep time correctly, resulting in the wrong time. Special considerationshould be given to looking for time zone information related to the time.Exhibit 9 shows a chronological sequence of actions with different clock times involved intransmitting e-mail.22

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSExhibit 9. E-mail time sequence6:35 7 12 5 4a.m. a.m. noon a.m. a.m.Wrong Eastern Standard UTC Mountain Standard Pacific Standardtime time time timeSender’s Sender’s ISP Local Receiver’slaptop server mail server mail server desktopIssues to be aware ofSpoofed e-mail headers. Anything up to the last (topmost) “Received:” line in themessage header can be spoofed, or faked. Compare the information in the messageheader with that in the envelope header. If the two do not agree, the possibility existsthat the e-mail may have been spoofed.Anonymizers. Anonymizers are e-mail servers that strip identifying information from themessage before forwarding it. Although valid reasons exist for using an anonymizer service,many individuals use the service to conceal their identity. If an anonymizer is used,the investigator may not be able to trace the e-mail to its origin as logs are frequently notmaintained by these services.Remote locations. Note that many public places exist where Internet access is available,such as libraries, schools, airports, hotels, and Internet cafes. If an e-mail messageis sent from one of these locations, determining the actual sender may be difficult.23

SPECIAL REPORT / JAN. 07Delayed send. Many providers and e-mail clients have the ability to allow the sender toschedule the time an e-mail is sent. Also, some servers send e-mail at a certainprescheduled time. Either of these situations could allow an individual to be at anotherlocation at the time the mail is actually sent.E-mail location. Regardless of the type of e-mail being used, the message can bestored in multiple locations. Consider obtaining it from as many sources as possible. Forexample, if the message is Web based and stored by a service provider (e.g., Hotmail ® ,Yahoo!®), time is of the essence as many of these companies have a policy to purgeinformation after a certain period of time. A preservation letter issued to the providerwould be a necessary measure to prevent purging of data. Further information aboutpreservation orders can be found in chapter 9.Forensic examinationAn investigator should not attempt to examine a computer system if theinvestigator has not received special training in forensic examination of computers.The investigator should follow agency policy or contact an agency with a forensicexamination capability.A forensic investigation of a computer system might reveal additional information,such as—■ Other e-mail messages related to the investigation.■ Other e-mail addresses.■ Sender information.■ Content of the communications.■ IP addresses.■ Date and time information.■ User information.■ Attachments.■ Passwords.■ Application logs that show evidence of spoofing.Legal considerationsAs in all investigations involving computer evidence and the recovery of computer data,specific legal requirements and reliable forensic procedures must be followed to obtain24

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSadmissible evidence and to avoid civil and criminal liability. See chapter 9 for furtherinformation and consult with legal counsel when appropriate.In determining the legal issues for the investigation, at a minimum the following shouldbe considered:■ The Fourth Amendment.■ Electronic Communications Privacy Act (18 U.S.C. § 2501 et seq.).■ Electronic Communications Privacy Act (18 U.S.C. § 2701 et seq.). (This section isreferred to as Stored Wire and Electronic Communications Section.)■ Pen Register and Trap and Trace Statute (18 U.S.C. § 3121 et seq.).■ Title III Wiretaps.■ Applicable State laws.The Fourth AmendmentIf the e-mail resides on the sender’s or recipient’s computer or other device, then thesteps taken to secure that evidence must be analyzed under the Fourth Amendment andState constitutional requirements. The investigator must consider whether the person onwhose computer the evidence resides has a reasonable expectation of privacy on thatcomputer. The Fourth Amendment would require a search warrant or one of therecognized exceptions to the search warrant requirements such as consent or exigentcircumstances.Electronic Communications Privacy ActIf the e-mail is stored by an Internet Service Provider or any other communications network,retrieval of that evidence must be analyzed under the Electronic CommunicationsPrivacy Act (ECPA). ECPA creates statutory restrictions on government access to suchevidence from ISPs or other electronic communications service providers.ECPA requires different legal processes to obtain specific types of information. Basicsubscriber information (name, address, billing information including a credit card number,telephone toll billing records, subscriber’s telephone number, type of service, and lengthof service) can be obtained by subpoena, court order, or search warrant. Transactionalinformation (such as Web sites visited, e-mail addresses of others from whom or towhom the subscriber exchanged e-mail, and buddy lists) can be obtained by court orderor search warrant. A search warrant can be used to obtain content information fromretrieved e-mail and must be used to obtain unretrieved stored e-mails. 10 Real-timeaccess (traffic intercepted as it is sent or received) requires a wiretap order under theprovisions of Title III. For further details refer to chapter 9.10For investigating agencies located within the Ninth Circuit (California, Oregon, Washington, Arizona, Montana, Idaho, Nevada,Alaska, Hawaii, Guam, and the Northern Mariana Islands), a search warrant must be used to obtain content information from anye-mail, as discussed in more detail in chapter 9.25

SPECIAL REPORT / JAN. 07Pen Register and Trap and Trace StatuteThis applies not only to telephone communications, but also Internet communications.For example, every e-mail communication contains to and from information. A pen/trapdevice captures noncontent information of communications in real time.Title III wiretapsTitle III may need to be considered, depending on how an ISP executes a request toobtain a subscriber’s e-mail. However, to obtain e-mail in real time as it is ingoing andoutgoing from the ISP, a Title III wiretap order is always required.SummaryInformation obtained from an e-mail message can be valuable evidence. This chapterprovides techniques to obtain one piece of the investigation puzzle. Once the e-mailaccount subscriber is identified, however, other investigative techniques should be usedto actually place an individual at the keyboard at the time the message was sent. Keep inmind the legal procedures that must be followed to ensure the evidence gathered can beused in court.26

Chapter 4. Investigations InvolvingWeb SitesThis chapter provides guidance regarding methods and practices to conduct Web siteinvestigations. The investigator should be aware that access to a Web site may be monitoredby the target of the investigation. Monitoring may reveal the investigator’s identity,thus compromising the investigation. Use of an undercover computer and InternetService Provider (ISP) account or other covert methods should be considered.Investigations should not be conducted using the suspect’s or victim’s computerunless exigent circumstances exist, as the integrity of the evidence may be affected.Generally, a Web site is a collection of related Web pages or files (such as pictures,sounds, or text) that is stored on a Web server. The typical language that these pages arewritten in is HyperText Markup Language (HTML). This language allows users to easilynavigate between related pages or files in the collection. It also allows a related collectionof pages to be linked to another related collection of pages. Simply put, HTMLallows links between Web sites.A Web server is a computer with special software that provides Web pages to clientsacross the Internet or an intranet. A Web server can host multiple Web sites, many ofwhich may not be related to the ongoing investigation. Additionally, the files that comprisea single Web site may exist on more than one Web server.A Web page is accessed by typing a Uniform Resource Locator (URL) into a Web browsersuch as Internet Explorer ® , Netscape ® Navigator, or Mozilla. The URL is the address ofa resource, or file, available on the Internet. The URL contains the protocol of theresource (e.g., http://, https://), the domain name for the resource, and the hierarchicalname for the file (address). For example, a page on the Internet may be at the URLhttp://www.nist.gov. The beginning part, http://, provides the protocol, the next part,www, is a pointer to a Web server, and nist.gov is the domain. See chapter 2 for moreinformation on domain names and the IP addresses associated with them.Hyperlinks (links) are shortcuts that allow users to navigate from one Web page toanother Web page or file without manually entering the full URL address. Links may behidden on the Web pages so that only users who know where to look will likely find thelinks. Links may also automatically redirect the Web browser to a different Web site.Investigators should be aware that although Web pages are typically written in HTML,they may also be written in “scripting” languages. These languages allow the Web pageto display individualized content for each user. The content may be tailored to each user’s27

SPECIAL REPORT / JAN. 07Internet Protocol (IP) address, previously visited Web sites, stored cookies, or other criteria.Therefore, it is possible for two people who simultaneously navigate to the same URLto view different content.Viewing the HTML source of a Web pageThe HTML source of a Web page is text that defines the content and format of a page. Inaddition to the graphical representation provided to the viewer, the page may containadditional information related to its author, programming code, metadata, 11 and otheridentifying information that may not be displayed in Web page view. Most common Webbrowsers allow users to view the source of a Web page. Exhibit 10 shows a screen capturefor the www.nist.gov Web site, followed by the HTML source information. To viewthe HTML source using Internet Explorer ® , select “view” on the toolbar, then select“source” on the drop-down menu.Note: Techniques are available that can obscure the HTML source while still allowing normalviewing of the Web page in a browser.Capturing Web page dataDepending on the nature and scope of the investigation, capturing the information from asingle Web page or the entire contents of a Web site may be useful. The techniques forobtaining this information may include screen captures, the “save as” command, Website capture tools, or locating and seizing the Web server.Screen captureSeveral methods are available for capturing a screen shot of a Web page. One method isa Windows ® function [Ctrl]+[PrntScrn], which will capture the entire screen by copying itto the Windows ® clipboard. The image may then be pasted ([Ctrl]+[v] or Edit > Paste)into another application, such as a word-processing program or graphics editor, forpreservation. Another method is to use a third-party software application specificallydesigned to capture images of screens or active windows. These methods may onlycapture the displayed content of the active window and may not capture content that isoutside the display of the active window. The HTML source will not be captured unless itis displayed.“Save as” commandA simple method to capture Web page information that may include the HTML sourceand embedded files is to use the “save as” command within the Web browser. This commandwill save the Web page to a specified location on the computer the investigator isusing. In exhibit 11, the “save as” command is shown on the left, and the destination ofthe Web page capture is shown on the right. Note that depending on the version of the11Metadata in this context is information that describes the attributes or search keywords that have been embedded in a Web page’ssource code.28

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSExhibit 10. Screen capture and HTML source for NIST Web site29

SPECIAL REPORT / JAN. 07Web browser used, several “Save as type” options may be used to capture the completepage and all of its embedded files. In exhibit 11, the “Save as type” option will result inthe entire Web page with all of the embedded files being saved to a folder located in thesame directory. A good practice is to test and verify the information that is capturedusing the different “save as” options before using this technique in an investigation.Once the capture is completed, it should be immediately verified to ensure that all of theinformation sought has been saved.Exhibit 11. Save as command and Web page captureWeb site capture toolsA way to automate the capture of a collection of pages within a Web site is through theuse of third-party applications. It would be time consuming to manually navigate to andsave each Web page on a large Web site. Numerous commercial and freeware tools areavailable for capturing Web sites. The use of specific tools is beyond the scope of thisdocument. In general these programs are designed to navigate to each link on a Webpage and capture all of the content, including embedded files and source code, ofthose links.It is important for the investigator to be aware that the content of the current Web sitemay have changed since the initiation of the investigation. Therefore, the date and time ofWeb site captures should be documented. Determining previous content of many Websites may be possible through the use of Web archiving sites (e.g., the Wayback30

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSMachine searching tool, http://www.archive.org) or similar sites. For details on howthese sites work, visit and read the site documentation.Note: For Web sites written in scripting languages, it may not be possible to capture allthe specific content of interest with Web site capture tools.Locating and seizing the Web serverIn some investigations in which a Web site is being used to perpetrate a crime (e.g., distributionof child pornography), locating and seizing the Web server should be considered.The Web server may contain the content and HTML source, as well as transactional logsthat show the IP addresses of users who connect to and download from the Web site.The server may also store user names, passwords, payment methods, and other pertinentinvestigative information. To locate and identify a Web server, it will be necessary toobtain the IP address and other identifying information and to establish the requisitelegal basis to seize and search the Web server. See chapter 2 for details on how to determinethe IP address for Web sites by domain.Personal civil liability issues may be associated with the seizure of Web sites cohostedon the Web server that are unrelated to the investigation.Legal issuesInvestigations involving Web sites may be governed by the Electronic CommunicationsPrivacy Act (ECPA), the Fourth Amendment, and the Privacy Protection Act. Refer tochapter 9 for discussion of these legal issues.SummaryIn the course of an investigation, the investigator may need to determine and preservethe contents of a Web site. Preserving this information may be as simple as capturing ascreen shot of the relevant material, but techniques to capture the underlying HTMLsource and the entire contents of a Web page are also explained. The investigator shouldbe aware that Web page content is dynamic and can change often. This chapter providesa potential resource for viewing the historical content of a Web page.31

Chapter 5. Investigations InvolvingInstant Message Services, Chat Rooms,and IRCThis chapter is intended to be a resource for an investigation involving the use of instantmessengers (IM), chat rooms, or Internet Relay Chat (IRC). It does not encompass acomplete discussion of all the issues surrounding the use of these communications in aninvestigation and additional expertise may be needed for a more detailed investigation.IM, chat rooms, and IRC allow users to communicate with each other in real time. Nolonger exclusive to desktop computers, instant messaging, chat, and IRC are now readilyexchanged using many portable devices such as cell phones, personal digital assistants(PDAs), pagers, and other communication devices. In this chapter, the term “computer”refers collectively to all such devices. Online messenger programs, chat rooms, and IRCfrequently allow voice, video, and file exchange as well. The voice and video material canbe prerecorded or transmitted live. Most chat rooms and IRC have multiple participants,while instant messengers allow computer users to communicate directly one to one.During a chat or IRC session, the ability to send and receive private messages may alsobe available.Instant message servicesNumerous software programs and services are available that enable users to communicatein real time. They perform similar functions, but vary in features and the informationthat is retained on the computer system. Some examples include—■ America Online (AOL ® )■ AOL Instant Messenger (AIM)■ ICQ■ IRC■ MSN Messenger■ Net Meeting■ Trillian■ Yahoo!® Messenger■ Windows ® Messenger33

SPECIAL REPORT / JAN. 07Prior to using an instant message service or chat room, most services require the user toprovide or create an e-mail account, as in the example in exhibit 12. Some companies,such as Yahoo!® and Hotmail ® , provide free e-mail accounts. In many cases, the informationprovided is not verified and may not be accurate. As a result, users of theseaccounts can easily conceal their identities and personal information.Exhibit 12. E-mail account creation (from Hotmail ® )34

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSHow IM services workA user must first establish an account and create a screen name or nickname. The userinformation provided when creating the account may be falsified. However, somemessage services log the Internet Protocol (IP) address that was in use at the time theaccount was created. This information may be obtained from the message serviceprovider with appropriate legal process. See chapter 2 for a discussion of tracing an IPaddress and the usefulness of the information obtained.Once an account has been established, a user has a number of options available to findother individuals to communicate with online. People can initiate contact throughdisclosing their screen names or can search for others by characteristics described inuser profiles. Exhibit 13 shows a contact list.Exhibit 13. Contact listA user initiates a communication by opening the IM program, selecting the user namethat he wants to communicate with, typing in the message, and clicking a “send” button.If the other user is online, the text will appear, almost instantly, in a window on therecipient’s display. While the session is active, the complete text of the conversation mayappear in both windows, but the windows may have to be scrolled in order to view theentire message. The communication appears to the users as being “point-to-point”(computer to computer) even though it may have multiple relay points during its travel.(See exhibit 14 for an instant messaging sample.)35

SPECIAL REPORT / JAN. 07Exhibit 14. Instant messagingInvestigative considerationsFor IM-related complaints, obtaining the following information from the complainant maybe beneficial.■ The computer being used to receive the communication.■ The screen or user name (victim and suspect).■ The owner of the Internet Service Provider (ISP) account being used.■ The IM service being used and version of the software.■ The content (witness account of contact or activity).■ The date and time the message was received/viewed.■ The dates and times of previous contacts.36

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKS■ Any logging or printouts of communications saved by the victim. (See exhibit 15.)■ Applicable passwords.■ Potential suspects.■ Whether an Order of Protection/restraining order was in effect.■ Witnesses that may have observed the communication.■ Whether security software was in use that may have captured additional information.If the information is still on the screen, photograph and write down verbatim thecontents of the communication (scroll if necessary). This may be the only opportunity tocapture the contents of the communication as this information may be lost when poweris disconnected.Exhibit 15. Message logging37

SPECIAL REPORT / JAN. 07Although some IM services have the ability to log information on the user’s hard drive,this logging is frequently not enabled. Realize that a forensic examination of the complainant’scomputer may provide the only evidence related to the crime. The decisionto collect the complainant’s computer will depend on the circumstances of theinvestigation.The investigator should consider whether—■ The severity of the complaint warrants the collection of the computer and submissionfor forensic examination.■ The complainant may be inconvenienced while the system is in law enforcement’spossession.■ The suspect may notice that the complainant is not online and the investigation may becompromised.Additional evidence may also be found on other computer systems or devices used bythe suspect. See Electronic Crime Scene Investigation: A Guide for First Responders(www.ojp.usdoj.gov/nij/pubs-sum/187736.htm) for information on collecting andpreserving computer evidence.Once a suspect’s screen name is identified, a computer unrelated to the investigationcan be used to identify if an online “profile” is associated with the screen name. Theprofile might include pictures and other information that would assist in identifying thesuspect. (See exhibit 16.)Service providers are not required to retain IP address information.Therefore, whenan IM program is involved, time is of the essence. A preservation letter should be sentto the messenger service provider to maintain information while additional legal stepsare pursued. Refer to chapter 9 for further discussion on preservation letters.Chat roomsChat rooms are similar to IM services in that they allow users to communicate in realtime. However, instant messaging is usually one to one, whereas chat rooms are usuallya group conversation involving two or more people. Certain software programs or ISPsprovide lists of chat rooms based on areas of interest or topics of discussion. Users mayhave unrestricted access to these chat rooms or the chat rooms may be restricted bysize (number of participants) or password.Chat sessions may be monitored and logged by the service provider, providing a potentialwitness and documented content of the sessions. However, log retention varies dependingon the service provider and time is of the essence. A preservation letter should besent to the chat service provider to maintain information while additional legal steps arepursued. Refer to chapter 9 for further discussion on preservation letters.In chat rooms, a screen name might not be permanently reserved for a specific individualand therefore cannot be relied on to identify a person. Each user in a chat room must38

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSExhibit 16. Profile screenhave a unique screen name for that session. However, when that individual logs off, thatscreen name may be available for use by another individual. In addition, different individualscan use the same screen name at the same time if they are in different chat rooms.Just because the same screen name is seen in a chat room on another occasion doesnot necessarily mean the same user was using that screen name at the time the originalcomplaint was received. Exhibit 17 shows a chat room screen.Investigations involving chat roomsMany of the steps followed when investigating chat rooms are similar to those usedwhen investigating crimes involving IM services. The following may be relevant informationto obtain in a chat room investigation:■ Name of the chat room.■ Web address of the chat room.■ Computer being used to receive the communication.■ Screen or user name (victim and suspect).39

SPECIAL REPORT / JAN. 07Exhibit 17. Chat room screen■ Owner of the ISP account being used.■ Chat software being used, and version of the software.■ Content (witness account of contact or activity).■ Date and time the communication took place.■ Dates and times of previous sessions where similar activity took place.■ Logging or printouts of communications saved by the victim.■ Applicable passwords.■ Potential suspects.■ Order of Protection/restraining order.■ Witnesses.■ Was security software in use that may have captured additional information?40

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKS■ Did the victim notify the ISP?■ Did the victim capture the IP address?■ Was the chat session monitored? If so, was it reported to the chat monitor and can thechat monitor be identified?If the program being used by the complainant supports logging and other securityoptions, suggest that they be turned on to preserve future communications.As with investigations involving IM services, realize that the complainant’s computermay contain the only evidence related to the crime.The decision to collectthe complainant’s computer will depend on the circumstances of the investigation.Investigative considerationsThe investigator should consider whether—■ The severity of the complaint warrants the collection of the computer and submissionfor forensic examination.■ The complainant may be inconvenienced while the system is in law enforcement’spossession.■ The suspect may notice that the complainant is not online and the investigation may becompromised.Additional evidence may be found on other computer systems or devices used by thesuspect and/or other chat room participants. See Electronic Crime Scene Investigation:A Guide for First Responders (www.ojp.usdoj.gov/nij/pubs-sum/187736.htm) for informationon collecting and preserving computer evidence.If the information is still on the screen, photograph and write down verbatim thecontents of the communication (scroll if necessary). This may be the only opportunity tocapture the contents of the communication as this information may be lost when poweris disconnected.Internet Relay ChatInternet Relay Chat is a virtual gathering place where individuals exchange information.IRC is based on a client-server model. IRC is made up of networked servers, where thousandsof individuals use a “client” (software program) that connects them to an IRC serverthrough an ISP. Several servers linked together make up a network. Once usersconnect to an IRC server, they can exchange text-based messages and files in real timewith others who also are connected to the same network. (See exhibit 18.) All IRC usersconnected to the same channel receive the same message, “Hi Folks!”41

SPECIAL REPORT / JAN. 07Exhibit 18. Internet Relay ChatSome of the more popular IRC networks are—■ EFnet■ Undernet■ DALnethttp://www.efnet.orghttp://www.undernet.orghttp://www.dal.net42

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSThe following Web sites can be used as resources to download IRC client software andobtain specific information regarding its use, such as frequently asked questions (FAQs),help guides, user tips, and links to other resources.■ Windows ®— mIRC http://www.mirc.com— Pirch http://pirchworld.com■ Linux/Unix— Bitch-X http://bitchx.org— Ircii http://eterna.com.au/ircii/— Epic http://epicsol.org■ Macintosh— Ircle http://www.ircle.comClient software includes user-configured settings. Examples are—■ Port number.■ User name.■ E-mail address.■ Nickname(s).■ Internet Protocol address.■ Domain name.■ Logging capabilities.NicknameOf significance to the investigator is the user-defined nickname (“nick”). An IRC usermust have a nickname, and a common practice is for users to create nicknames thatsuggest their interests or hobbies. For example: bbsitR (“babysitter”), boylvr (“boylover”),or 2yng4u (“too young for you”). Nicknames may be preceded by a specialcharacter denoting additional privileges for that user. For example, a channel operator isidentified by the “@” symbol in front of his nickname.A nickname generally is not permanently reserved for a specific individual and thereforecannot be relied on to identify a person. Each user in an IRC network must have a uniquenickname while logged on to that network. In most cases, when that individual logs off,that nickname is available for use by another individual. Just because the same nicknameis seen in an IRC network on another occasion does not necessarily mean the same userwas using the nickname at the time the original complaint was received.43

SPECIAL REPORT / JAN. 07ChannelsChannels are “gathering places” for IRC users and are either public (anyone can join) orprivate (users must use a password key to gain entry or only invitees can join). Users canjoin more than one channel at a time or create their own channels. Channel names arestrings of characters beginning with a “#” or “&.”The first person that joins a channel effectively creates it and is, at least initially, in chargeof the channel as a channel operator (“channel-op”). A channel will remain open until thelast user exits. Channel operators control the channel settings and can designate otherusers as channel operators. By default, a channel is public. Any user can type a notice tosend to a public channel, acquire a list of its users, or join the conversation. Users caneasily be located on IRC unless a user’s mode is set to “invisible.” Channel operators canchange the characteristics of their channel by changing the mode settings. Some settingsallow operators to—■ Make the channel accessible only by invitation.■ Allow only designated users to be able to post messages.■ Make a channel private or secret.■ Ban a user from entering the channel.Malicious code distributionIRC servers can also be used by writers of malicious code to gain control over infectedcomputer systems. To accomplish this, the code writer surreptitiously distributes a smallprogram or command to other computers. At specified times, this program causes theinfected computer to initiate a connection with an IRC server. Typically, the code writercreates a private IRC channel so that access to the infected computers is limited. Oncethe connection is created, commands may be given by members of the private channelto the remote computer.Once control over an infected computer is established, commands can be given thatdirect the infected computer to send e-mail, transfer files, or probe other computer systems.When a code writer controls hundreds of remote infected computers, commandsmay be given that cause all of the infected computers to simultaneously send packets toany other computer on the Internet. This is referred to as a Distributed Denial of Service(DDOS) attack. Depending on the number of infected computers and the bandwidth ofthe victim computer, the DDOS may cause a disruption of service to the victim. Seeappendix E, sample 4, for a sample case involving an IRC being used by a malicious codewriter to control infected computers.DCC chatDirect Client to Client (DCC) chat allows two users to communicate directly with eachother rather than through the IRC network, making their communication more private.DCC is used for essentially two things: transferring files between two computers andopening a chat link between two computers. (See exhibit 19.)44

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSExhibit 19. Direct Client to Client (DCC) chatIn DCC, the initiating user’s host network and IP address are displayed on the screen. Ifthe complainant logged DCC chat sessions, the suspect’s IP address may be found in thelog files or onscreen if the complainant has not closed out the chat session. (For informationon tracing IP addresses, refer to chapter 2.) The sender’s host and IP address isunderscored in the following example:Offering DCC SEND “sexygirl.jpg” connection to Cybercop DCC SEND offer from BadBoy (~where@24.41.36.149) host:port=192.168.1.100:1024 (“sexygirl.jpg”, 1304484 bytes) 45

SPECIAL REPORT / JAN. 07File server (“fserv”)IRC users can configure their computers to act as a file server (fserv) to make their collectionof images, video clips, audio clips, and other types of files available for others todownload via a DCC session.In channels where an fserv is operational, the fserv owner will post a message. The messageprovides command line instructions and a description of the files that are available.A user must intentionally initiate a connection to an fserv in order to select a specific fileto download.The IP addresses of the host and client(s) may be found in the log files of the fserv host,the client computer, or onscreen if the chat session has not been closed. (For informationon tracing IP addresses, refer to chapter 2.)Investigative considerations for IRC-related complaints■ What IRC network does the suspect use? (Examples: Undernet, DALnet, EFnet.)■ What nicknames does the suspect use?■ What IRC channels does the suspect use?■ What is the IP address and date and time stamp?■ Was the information on the screen captured and/or documented?■ Did the complainant log or print out any of the following files:— Channel chat logs?— DCC chat or file transfer logs?— E-mail messages?— Other documents, images, or files?■ Does the complainant remember the screen names of moderators or any other participantsin the channel?■ What IRC server does the suspect use to log on to IRC? (Example: irc.abc.edu.)■ What ISP does the suspect use?■ What time of day is the suspect usually online?■ Does the suspect have channel operator (moderator) status? (May indicate a higherskill level of IRC use.)■ Did the suspect provide any personal identifying information?46

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSLegal issuesInvestigations involving IM communications, chat rooms, and IRC may be governed bythe Electronic Communications Privacy Act (ECPA), the Fourth Amendment, or appropriatewiretap statutes, depending on the location of the evidence and the timing of its capture.Refer to chapter 9 for discussion of these legal issues.SummaryIM and chat services allow users to communicate with each other in real time. User profileinformation provided when subscribers create accounts may be deceptive. The IPaddress will need to be determined and traced to identify the provider supplying theInternet service. Once the subject user’s IP address is identified, subscriber accountinformation may be obtained—with appropriate legal process—from the ISP.Investigators should be aware that a victim’s computer might contain the only evidencerelated to the crime. Care should be taken to record information visible on computerscreens and to secure hardware, peripheral media, and software as appropriate.Additional evidence of criminal activity may be found in chat and file transfer logs, e-mailmessages, and other data.47

Chapter 6. Investigations InvolvingFile Sharing NetworksInvestigators increasingly encounter new methods being used to share files containingcontraband or illegally obtained data. One fast-growing method being used to commitcrimes on the Internet is file sharing networks. The most popular file sharing processesare File Transfer Protocol (FTP) and Peer-to-Peer (P2P) networks. This chapter provides anoverview of these technologies. For investigative tips, see appendix D.File Transfer ProtocolFTP is based on a client-server model that enables a user to transfer files to and from another computer. Any computer can act as either a client or a server. FTP sites can be configured to allow an anonymous connection or require a user name and password. Some common FTP client programs include Web browsers, WS-FTP (Light Edition & Pro), War FTP Daemon, CuteFTP, BulletProof FTP, and FTP Voyager. The client-server model is similar to a central file cabinet in an office where people can access documents. (See exhibit 20.) Exhibit 20. FTP49

SPECIAL REPORT / JAN. 07FTP scenarioFred searches the chat channels and news groups to find the addresses of FTP serversthat are sharing music. He uses an FTP client program to connect to the FTP serveraddress he has found. He reviews the music available and if he finds the song he wants,he downloads the song.Peer-to-PeerA true P2P network shares information directly between computers and does not requirea server. In the file sharing P2P networks such as Kazaa, Grokster, Morpheus, orBlubster, users searching for a desired file query a directory that is stored on a server.(Note: The server does not usually maintain audit logs of file transfer activity.) The directorypoints the user to the computer or multiple computers where the actual file isstored. The user then downloads the file directly from one or more computers on a P2Pnetwork that contains the file. The structure of a P2P network changes as computersenter and leave the network, so a P2P network is in a constant state of change. (Seeexhibit 21.)Many P2P applications exist; some of the more popular applications include Kazaa,Grokster, Morpheus, Blubster, WinMX, iMesh, Filetopia, eDonkey, and Freenet.Exhibit 21. P2P Network50

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSSimple P2P scenarioFred wants to obtain child pornography. Fred starts up Kazaa file sharing and searchesother Kazaa users for the common child pornography term “Lolita.” Users on the Kazaanetwork normally have a directory of items they share to the network. Fred finds numerousfiles that match his search term and transfers them to his computer directly from thesource(s).Investigative considerations for file sharing networksFTP and P2P file sharing networks have valid uses, but they also enable users to easilysearch for, obtain, possess, and/or distribute a variety of illegal content. An individual whouses FTP or P2P may possess a combination of illegal material and illegally obtaineddata, such as—■ Child pornography.■ Copyrighted material (music, movies, video games, photographs, software).■ Intellectual property/trade secrets.■ Financial information (credit card numbers, bank account information).■ Personal identifying information (social security number, date of birth, driver’s license).As users become more sophisticated, they may develop other techniques to mask theirtrue identity. Among these techniques are the use of proxy servers.Complex P2P scenario—proxy serverFred, who does not want to be traced back to his work computer, searches the Internetfor free proxy services. Fred starts up the Kazaa program, configures it to use a freeproxy server Internet Protocol (IP) address, then searches for the term “Lolita.” Fred findsfiles that match “Lolita” and starts transferring the files to his computer via the proxyserver. If an investigator tries to find Fred by tracing Fred’s IP address, the investigatorwill only be able to trace the IP address to the proxy server. However, if the proxy servermaintains logs, the investigator may be able to obtain information that may identify Fred’strue IP address. At times, though, the proxy server may be located in another country, orlogs may not be available. (See exhibit 22.)Investigations of crimes involving file sharing networks can be complex, requiring additionalresources and expertise. The first step in these investigations is to determinethe IP address of the suspect computer. The address of the suspect computer may beobtained from the complainant’s Internet Service Provider (ISP) by forensic examinationof the complainant’s computer or through the use of proactive undercover techniques.Undercover techniques are beyond the scope of this special report. Some file sharingapplications provide anonymity by using redirectors and proxy servers and can disguisea user’s location from other users and investigators.51

SPECIAL REPORT / JAN. 07Exhibit 22. Proxy server scenarioForensic exam evidenceEvidence the investigator can obtain from a computer forensic exam includes—■ Files that are either contraband or illegally possessed.■ Configuration files showing server or user information, connection history, shareddrives on a network, or Internet sites that provide offsite data storage space (e.g.,X-Drive, Yahoo!® Briefcase, .Mac, etc.).■ Data files showing file sharing locations with user names, passwords, search terms,file listings, and date and time information (.db, .dbb).■ Log files that show transfers and network activity.■ Stored e-mail that shows relevant user activity.■ File transfer programs.ISP evidenceEvidence the investigator can obtain from the suspect’s ISP:■ Firewall, Dynamic Host Configuration Protocol (DHCP), and RADIUS logs, which mayassist in connecting the suspect to the illegal activity.■ E-mail server logs, payment records, and subscriber information, which may assist inidentifying the suspect and in connecting the suspect to the illegal activity.Legal issuesInvestigations involving file sharing networks may be governed by the ElectronicCommunications Privacy Act (ECPA), the Fourth Amendment, or appropriate wiretapstatutes, depending on the nature of the investigation and location of the evidence. Referto chapter 9 for discussion of these legal issues.52

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSSummaryThis chapter introduces the concept of file sharing networks. FTP and P2P networksallow users to share files. FTP client programs enable users to download files from acentral server, whereas P2P client programs allow users to exchange files directlybetween computers. FTP and P2P network users can obscure their true IP addressesthrough the use of proxy servers, which means that those server logs must be obtainedin a timely manner.53

Chapter 7. Investigations of NetworkIntrusion/Denial of ServiceThis chapter is intended to be a resource for the investigation of a network intrusion or aDenial of Service (DoS) attack. Since intrusions and DoS attacks are frequently implementedby the use of a virus, worm,Trojan, or script, a brief discussion of theseprograms is included. Network investigations can be very complex and may require additionalexpertise beyond the scope of this special report. Obtaining contact information forsuch resources prior to conducting an investigation is beneficial. However, some basicsteps can be taken to identify what occurred and to preserve the evidence for furtherinvestigation.What is a network?A network at its most basic level is two or more devices connected in some way usinghardware and software to enable the devices to communicate. Devices such as (but notlimited to) computers, printers, routers, switches, wireless devices, access points, laptops,and personal digital assistants can be nodes on networks. A node is a networkcomponent that performs network-related functions and is treated as a single entity.Connection media between nodes may include wire cable (twisted pair, untwisted pair,coax), fiber optic, wireless, microwave, infrared, or satellite. The way a network is configuredin terms of nodes and connections is referred to as its architecture. Network architecturecan range from two devices connected to each other in one location to hundredsof thousands of devices connected across many geographically dispersed locations.Any node on a network may be an important source of evidence when investigating anetwork-based crime.Viruses, worms, and TrojansViruses, worms, and Trojans are generally malicious programs (malware) that causean unexpected and frequently undesirable action on a victim’s system. A virus is anexecutable file designed to spread to other computers without detection. It can betransmitted as an attachment to e-mail, as a download, or be present on a diskette or CD.A worm is a type of virus that self-replicates across a network, consuming systemresources and slowing or halting the system. A Trojan is a malicious code concealedwithin an apparently harmless program that hides its true function.55

SPECIAL REPORT / JAN. 07ScriptsA script is a file that automates the execution of a series of commands. Network administratorsoften use scripts to facilitate completion of a task such as creation of useraccounts or the implementation of security updates. Scripts are easily obtained, oftenshared via the Internet, and can be used by individuals with limited computer knowledge.Scripts can be used to discover and exploit a network’s vulnerabilities.Network intrusionAn intrusion is the unauthorized access or access in excess of a user’s privileges on anetwork. An intrusion is usually accomplished by taking advantage of a system that is notproperly configured, a known vulnerability that was not patched, or weak security implementationsuch as a blank or easily guessed password. Once access to the network hasbeen gained, the intruder(s) can exploit the system in various ways. Some examplesinclude—■ Intelligence gathering.■ Determining user accounts and passwords.■ Network mapping.■ Creating additional accounts or access paths (backdoors) for later use.■ Escalating user privileges.■ Using sniffer software to monitor network traffic.■ Using network resources to store and/or share files.■ Gaining access to proprietary or confidential data.■ Theft or destruction of data.■ Using resources to identify and exploit other vulnerable systems.Denial of ServiceA Denial of Service attack is an action (or actions) designed to disrupt the target system’sability to provide network services and prevent users from accessing resources. A commonDoS attack generates a flood of data, placing an overwhelming demand on a system’sresources so that it cannot respond to legitimate requests. Although frequentlyintentional, a DoS can also occur unintentionally through a misconfigured system.56

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSInvestigating intrusions and DoS attacksOne of the first steps taken in any investigation is to identify individuals who have informationrelating to the incident. In a network investigation those individuals may include—■ Network administrators.■ Employees, current or former.■ Network users.■ Internet Service Providers.■ Consultants.■ Information technology manager(s).■ Human resources.■ Account managers.Be aware that any of the above listed individuals may be a potential suspect ormay not be forthcoming in providing accurate information.Additional information to gather from the victim includes—■ Economic impact of the incident.■ Network security measures in place at the time of the incident.Identification of the network architecture also is important. Usually the network administratorwill be able to provide information on the devices connected to the network, theirphysical location, and the way they are connected. Other sources of evidence to considerinclude—■ Locally connected computers and servers.■ Remote users and devices.■ External network service providers.— Offsite storage.— Application service providers.— Offsite backup service providers.Note: Keep in mind that devices containing evidence may be in different buildings,States, or countries.57

SPECIAL REPORT / JAN. 07The system administrator should be able to provide information on any system managementtools or security measures that were in place at the time of the incident, the typesof logs that were being maintained, and backup logs from the time of the incident.Examples of information that can be obtained from logs include whether—■ Accounts were added.■ Files were added, modified, copied, or deleted.■ Security settings were reconfigured or backdoors added.■ Virus or Trojan activity is indicated.■ Intrusion and sniffer tools were copied to the network.■ Internet Protocol addresses of the apparent perpetrators were logged.■ Services were stopped or started.■ Ports were closed or opened.■ Other relevant activity occurred.If logging has not been turned on, suggest the victim enable logging to collect anypotential evidence from future occurrences.In many network investigations, the reporting entity is the victim. The investigatorshould be aware of the repercussions of any actions taken in the collection of evidence.Depending on the situation, the investigative response could be as simple as the collectionand examination of log files, or as complex as bringing in a network computer forensicexpert who may shut down the entire network and image the systems. Be aware thatshutting down the network could result in significant loss of revenue.Wireless networksWhile many networks use some type of physical cable connection for communication,wireless networks using radio signals to communicate have become quite popular. Awireless network is a simple and inexpensive method of sharing resources that does notrequire a hard-wired connection. However, the use of a wireless network requires theuser to be in the proximity of the wireless access point. The strength of the wirelesssignal that is transmitted will determine how close a user must be to use the networkresources.Depending on the configuration, users may be able to connect to a wireless networkwithout the knowledge of the network owner simply by being close enough to thesignal. For example, “war driving” refers to driving through a neighborhood with awireless-enabled device in order to identify wireless access points. Wireless “hot58

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSspots” are now available in many public locations such as airports, coffee shops, bookstores,and fast food restaurants.Information to collect during a wireless network investigation may include whether—■ The Service Set Identifier (SSID) was being broadcast. The SSID is an identifier includedin packets to allow the differentiation between multiple wireless networks. Allaccess points and all devices using a specific wireless network must use the sameSSID.■ Wired Equivalent Privacy (WEP) was enabled. WEP is a form of encryption that is usedto protect wireless communication from eavesdropping and to prevent unauthorizedaccess to a wireless network.■ Dynamic Host Configuration Protocol (DHCP) was enabled and if logs are available.When DHCP is enabled, a system is automatically configured and allowed to connectto the network.■ Logs were maintained of wireless connections that were established.This information will help determine how vulnerable the network was to an intrusion. If the above security measures were implemented, a nonauthorized user would require special knowledge and/or tools to gain access. Note: This chapter provides an introduction to network investigations. By nature, this type of investigation is technically complex and is likely to require the assistance of specialized experts in the field. Vulnerabilities and exploits are continually discovered and information on these issues is made available by several organizations including SANS (www.sans.org) and CERT (www.cert.org). Information related to viruses, Trojans, and worms is provided by antivirus software producers, such as Symantec (www.symantec.com), Computer Associates (www.ca.com), and F-Secure (www.fsecure.com). Legal issuesNetwork investigations may raise issues concerning the Fourth Amendment, ElectronicCommunications Privacy Act (ECPA), and the Privacy Protection Act. These issues arediscussed in more depth in chapter 9 of this publication; in another publication in thisseries, Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors(www.ojp.usdoj.gov/nij/pubs-sum/211314.htm); and in the U.S. Department of Justice,Computer Crime and Intellectual Property Section’s white paper entitled Searching andSeizing Computers and Obtaining Electronic Evidence in Criminal Investigations (July2002) (www.cybercrime.gov/s&smanual2002.htm).SummaryThis chapter provides details regarding methods used in network intrusions and Denial ofService. The concept of file sharing networks covers File Transfer Protocol (FTP) and Peerto-Peer(P2P) networks. Viruses, worms, and Trojans are generally malicious programs59

SPECIAL REPORT / JAN. 07that can cause an unexpected and frequently undesirable action on a system. A scriptis a file that automates the execution of a series of commands, and an intrusion isthe unauthorized access or access in excess of a user’s privileges on a network.Considerations are provided on network investigations and include information onphysical cable connection as well as wireless connections for communication. One ofthe first steps taken in any investigation is to identify individuals who have informationrelating to the incident.60

Chapter 8. Investigations InvolvingBulletin Boards, Message Boards,Listservs, and NewsgroupsAlthough electronic mail and instant messaging have become increasingly popular, otherforms of electronic communication, some dating to the 1960s, remain in active useamong certain users with specialized interests. Because these older electronic communicationservices may be used to further criminal activities, such as fraud and childexploitation, investigators should know how these systems work and how to gatherevidence from them.When investigating offenses involving the Internet, time, date, and time zone informationmay prove to be very important. Server and computer clocks may not be accurate or setto the local time zone. The investigator should seek other information to confirm theaccuracy of time and date stamps.Bulletin Board ServicesBefore the Internet became a mainstream communications medium, computer usersoften communicated directly with one another via modems and Bulletin Board Services(BBS) programs. These connections are not relayed by way of the Internet. They are privatecommunications established over common telephone lines directly between twocomputers.The BBS communications, while generally slower than the Internet, do not require anInternet connection. In order to access a BBS, a computer and modem are used to dial atelephone number to establish a connection with the BBS hosting computer. Typically,the BBS host authenticates (through user name and password) whether the user isauthorized to use the system. After entry into the system, access is allowed to uploadedfiles and posted messages. Groups of associated messages and responses constitutediscussion “threads.”The BBS host has absolute control over users allowed on the system. For example,the BBS host can set different access levels within the BBS, allowing only the mosttrusted users access to the most sensitive information. Therefore, in some cases, theinvestigator may need to gain the confidence of the BBS operator to access certainareas within the BBS. Since the connection between the two computers is not Internetbased, Internet-related investigative tools and techniques will not work in the BBSenvironment. 1212Some Internet-based programs emulate the BBS applications. In these situations, follow normal Internet-based investigative techniques.See chapter 4.61

SPECIAL REPORT / JAN. 07Important information to consider in the initial stages of a BBS investigation includes—■ What is the phone number of the BBS? (If Web site, refer to chapter 4.)■ What is the name of the BBS?■ What was the date and time of the activity?■ Are logs available from the BBS server?■ Where is the BBS located?■ What software is in use by the BBS?■ What is the user ID and password for accessing the BBS?■ What is expected to be found (graphics, text messages, etc.)?Message boardsMessage boards are based on the World Wide Web at services such as Yahoo!® Groups(Groups.Yahoo.com) or Topica.com. Users can log in after obtaining a user ID and password(in most cases) and post information on a given topic. In some cases, users canread but not post messages on Web-based message boards without logging in to thesystems that host the boards. Often the messages will not be found by search enginesbut will only be accessible through direct access to the message board service. Forexample, messages posted on a Yahoo!® private message board can only be viewed bymembers of that particular board. Since message boards are Web based, evidence canbe preserved in the same manner as a standard Web site investigation (see chapter 4).To identify the individual who posted a message, the originating Internet Protocol (IP)address may be subpoenaed or obtained with appropriate legal process, which can identifythe Internet Service Provider (ISP). A separate legal process may then be needed toobtain user or account information.Postings to message boards may contain the originating IP address or e-mail address ofthe individual, commonly known as the “poster.” In these cases, issuing a subpoena orappropriate legal process directly to an ISP may identify the posters. Note that the informationprovided by posters could be fictitious and/or in some cases may be altered byindividuals who have access to the posting. The service provider is not likely to retaininformation regarding users who only visit the board without logging in. Service providershave differing retention periods for logs and other information that may be of interest toinvestigators.Questions in message board investigationsWhen investigating message boards, a number of important pieces of information can beobtained. Among some of the questions to be answered are—■ What is the name of the message board?62

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKS■ What is the URL of the message board?■ Who hosts the message board?■ Is authorization required for membership?■ Is there a password and/or user ID?■ Can the investigator gain access?■ Is a guest account available?■ What is the user name of the suspect?■ What type of message board management software was used?■ Is the message board moderated? If yes—— Who are the moderators?■ Are archives available?— Who has copies?— Did any participants maintain their own archive?■ Is date and time information correct on the hosting server?■ How did the complainant discover the message board?■ How long and to what extent has the complainant used the message board?■ What is the complainant’s user name on the message board?■ Who are the other members on the message board?■ Is other information known about the suspect?■ Has the complainant had other forms of contact with the suspect?If investigators need to access the message board to answer the above questions,keep in mind that identifying information about the investigator’s computer may berevealed and can compromise the investigation.ListservsListservs are popular among special interest groups seeking an efficient and inexpensiveway to communicate with large groups of people. A group’s listserv is an e-mail-basedservice that allows a subscriber to send an e-mail to a single address for distribution to all63

SPECIAL REPORT / JAN. 07subscribers. Listserv software provides a central point of administration for the distributionof e-mail. Listservs can be publicly accessible or privately administered, allowing amoderator to control access and content. Some listservs are Web based, such asYahoo!®Groups or Topica, while others exist on private mail servers, using such softwareas “Mailman” or “L-soft.”A listserv allows subscribers to send bulk electronic mail to all members of the groupwith both individual messages and digests containing multiple messages. In somecases, subscribers are allowed to upload and download files from designated file storageareas or send and receive files as attachments, which are subsequently stored on themail server.Although the network administrator of the hosting server will have ultimate control overthe operations of a listserv, the person responsible for the configuration of an individuallistserv is the list administrator or list owner. The list owner designates moderators andassigns them administration rights, such as adding and deleting users and approvingmessages for distribution on a moderated list.Because listservs have multiple layers of information, the investigation may require acombination of Web, e-mail, and message board investigative techniques.Questions in listserv investigationsWhen investigating listservs, a number of important pieces of information can beobtained. Some of the questions to be answered are—■ What is the name of the listserv?■ Who hosts the listserv, and on what mail server?■ What listserv software was used?■ Who is the list administrator (owner)?■ Is the listserv moderated? If yes—— Who are the moderators?■ Are archives available?— Who has copies?— Did any participants maintain their own archive?■ What is the e-mail address of the sender?■ Is a message “header” available? (See chapter 3 for details.)■ How did the complainant first find out about this listserv?■ How long has the complainant used the listserv?■ What is the complainant’s e-mail address?64

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKS■ Who are the other members on the listserv?■ Are other e-mail addresses used by the suspect?■ Has the complainant had other forms of contact with the suspect?— E-mail, telephone, instant messaging?■ Is the identity of the suspect known? How?■ Is other contact information or biographical information about the suspect available?NewsgroupsNewsgroups are large messaging systems that consist of text messages and encodedfiles (e.g., pictures, sounds, movies, programs) organized into categories of interest withmultiple subcategories and topics. The Usenet, which is the Internet network wherenewsgroups are structured, hosts hundreds of thousands of newsgroups at any giventime. The news service provider, usually the user’s ISP, determines the newsgroups availableon any particular news server. Free news servers also are available but usually provideaccess to a limited number of news groups. Subscription news servers are availablethat provide access to an unlimited number of news groups.Newsgroups currently operate using the Internet and a protocol, or a set of operatingspecifications, known as Network News Transfer Protocol (NNTP). This protocol is similarto the e-mail protocol (SMTP). Message headers for newsgroup postings can be tracedin a manner similar to e-mail headers (see chapter 3). Newsgroup servers are computersthat usually are interconnected and store newsgroup messages for distribution to users.Users can participate passively by reading the contents of the group postings, or participateactively by posting or requesting information from other users.Some newsgroups are moderated and therefore cannot be posted to by individuals—articles posted to them must be mailed to a moderator who will post them for thesubmitter. The presence of a moderator may provide another investigative lead. In anunmoderated newsgroup, the message is posted directly without editing. The majorityof newsgroups are unmoderated.Usually newsgroups are accessed via a special program called a newsgroup “client” or“reader.” Some browsers and e-mail clients also contain newsgroup readers. Examplesof newsgroup readers include—■ FortéAgent/Free Agent.■ Outlook ® /Outlook Express ® .■ Netscape ® .Usenet newsgroups consist of discussions on any conceivable topic. For example, a newscuba diver, looking for other divers with whom to share an experience, subscribes to anewsgroup entitled “rec.scuba.” Law enforcement can use newsgroups to locate victims,develop leads, exchange information, and proactively investigate a wide range ofpotential criminal activities and trends.65

SPECIAL REPORT / JAN. 07Newsgroups also can serve as a communications medium to facilitate a wide range ofcriminal activities, including—■ Disseminating child pornography.■ Distributing pirated software, movies, and music.■ Obtaining plans for destructive devices.■ Sharing hate-motivated writings.■ Organizing gang activities.■ Distributing information regarding insider stock trading (or posting false information tofurther stock trading fraud schemes).Newsgroup scenario of financial fraudAn individual seeking to perpetrate a stock trading scheme logs on to an online investornewsgroup and attempts to remain anonymous using an alias. He participates in discussionson the newsgroup for several weeks and builds a relationship with the other userswhile simultaneously participating in other groups in which he obtains tips on priorschemes from other offenders. He then provides fake documents and false information,including links to bogus Web sites or false e-mails he created, in an effort to manipulate astock price.Questions in newsgroup investigationsWhen investigating newsgroups, a number of important pieces of information can beobtained. Among some of the questions to be answered are—■ What is the name of the newsgroup?■ What is the e-mail address of the poster?■ Is a message “header” available?— What is the NNTP-Posting-Host?— What is the date and time of the post?— What is the message ID number?— Where did the message originate?■ How did the complainant first find out about this newsgroup?■ How long has the complainant used the newsgroup?■ What is the complainant’s e-mail address?■ Are other e-mail addresses used by the suspect?66

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKS■ Is the identity of the suspect known? How?■ Is other contact information or biographical information about the suspect available?Newsgroup message headersA standard Usenet message consists of header lines followed by the body of the message.The header is similar to the e-mail header previously discussed in chapter 3. Exhibit23 is an example of a newsgroup message header.Exhibit 23. Newsgroup message headerPath:news-hub.dragnet.net!news-lhr.fgannon.net!newsjfriday714­gui.server.ntli.net!news.markiv.net!postmark.nist.gov!pushme.nist.gov!not-for-mailFrom:Nist@Nist.govNewsgroups:alt.rec.scubaSubject:Testing Post for NISTDate:Tue,13Aug2002 04:17:00 -0500 (UTC)Organization:subscriberofnistgovLines:32Message-ID:NNTP-Posting-Host:adsl226.dyn996.pushme.nist.govX-Trace:pushme.nist.gov. 1029230220 20535 129.6.16.92(13Aug2002 04:17:00EDT)X-Complaints-To:abuse@pushme.nist.govNNTP-Posting-Date:Tue,13Aug2002 04:17:00 -0500 (UTC)X-Received-Date:Tue,13Aug2002 04:22:29 EDT (news-hub.dragnet.net)Xref:news-hub.dragnet.net alt.rec.scuba:363129To understand the parts of the newsgroup message header in exhibit 23, a line-by-linedescription follows.Path:news-hub.dragnet.net!news-lhr.fgannon.net!newsjfriday714­gui.server.ntli.net!news.markiv.net!postmark.nist.gov!pushme.nist.gov!not-for-mailThis is the path the message took to reach the current system. When a system forwardsthe message, it adds its own name to the list of systems in the front of the “Path” line.The system names may be separated by any punctuation character or characters except“.” which is considered part of the hostname.Additional names are added from the left. A host adds its own name to the front of apath when it receives a message from another host. For example, the most recentlyadded name in the above path statement is news-hub.dragnet.net.Normally, the rightmost name will be the name of the originating system. However, it isalso permissible to include an extra entry on the right, which is the name of the sender(e.g., not-for-mail indicates that the sender’s name was not translated by the server).Some Usenet software limits the size of the path in the header. Therefore, the originating67

SPECIAL REPORT / JAN. 07server entry may have been lost if the path exceeds this limit and the entry “pathtruncated” may appear.From:Nist@Nist.govThe e-mail address of the original poster. It may also contain a name or nickname createdby the poster of the message. This information is generated by the client and may notreflect an accurate name or e-mail address.Newsgroups:alt.rec.scubaThe name(s) of the newsgroup(s) to which the message was posted.Subject:Testing Post for NISTThe message topic generated by the poster.Date:Tue,13Aug2002 04:17:00 -0500 (UTC)The date and time that the message originated. This information is typically generated bythe server. Note: An offset from UTC is sometimes displayed in the following format: 13Aug 2002 04:17:00 -0500. The “-0500” in the example indicates that the time the messagewas posted to the server is Eastern Daylight Time – UTC minus 5 hours.Organization:subscriberofnistgovA short phrase describing the organization to which the sender belongs, or to which themachine belongs. The intent of this line is to help identify the organization of the personposting the message, since host names are often cryptic enough to make it hard torecognize the organization by the electronic address. If the entry is blank when the messageis received into the NNTP network, a generic entry is made by the receiving server.Lines:32This contains a count of the number of lines in the body of the message, excluding header.Message-ID:The “Message-ID” line is a unique identifier followed by the full domain name of thehost where the message entered the network.NNTP-Posting-Host:adsl226.dyn996.pushme.nist.govThe IP address or the fully qualified domain name of the computer from which themessage was received into the NNTP network. It can be the address of the sender, agateway, or a proxy server used to hide the true sender.X-Trace:pushme.nist.gov. 1029230220 20535 129.6.16.92 (13Aug2002 04:17:00 EDT)The “X-Trace” line is inserted by the server that received the message into the NNTPnetwork. It indicates the fully qualified domain name followed by the date and time thatthe post was made and the originating IP address. The string of numbers (1029230220)preceding the IP address (129.6.16.92) represents the date as the number of secondsthat have passed since January 1, 1970. The remaining number (20535) is the messagethread identifier.X-Complaints-To:abuse@pushme.nist.govThis line is inserted by the news server and provides an e-mail address for sendingcomplaints on the nature of the message.68

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSNNTP-Posting-Date:Tue,13Aug2002 04:17:00 -0500 (UTC)Time of the posting to the Usenet.X-Received-Date:Tue,13Aug2002 04:22:29 EDT (news-hub.dragnet.net)The date and time the message was received by the server on which that particularnewsgroup is hosted.Xref:news-hub.dragnet.net alt.rec.scuba:363129This line contains the name of the host and a list of colon-separated pairs of newsgroupnames and message numbers. For example, the above “Xref” line shows that the messageis message number 363129 in the newsgroup alt.rec.scuba, on host newshub.dragnet.net.Note: All header lines may not be displayed by default. Consult the documentation forthe particular newsgroup client to determine how to display complete header information.Investigative stepsInvestigative steps are as follows:■ From the header, identify the newsgroup server to which the message was first postedand the Message-ID.■ Identify the owner of the domain that hosts the newsgroup server using the “whois”command as described in chapter 2.■ From the owner of the domain, determine the administrative contact for that newsgroupserver.■ Contact the administrative representative for the newsgroup server. Determinewhether server logs were maintained that contain subscriber information or an IPaddress associated with the Message-ID.■ Use appropriate legal process to obtain that information.In many cases logs are not maintained or are only maintained for a short period oftime. Therefore, when a newsgroup message is involved, time is of the essence. Apreservation letter should be sent to the newsgroup service provider to maintain informationwhile additional legal steps are pursued. Refer to chapter 9 for additional information.Other techniques to augment the investigation may include searching newsgrouparchives, Internet-based e-mail services such as Yahoo!® and Hotmail ® , and the WorldWide Web for the same or similar user names, e-mail addresses, important keywords,and biographical or other information that may assist in identifying the poster or suspect.Methods to preserve evidentiary information in newsgroups include—■ Use software such as SnagIt, Camtasia, PC Pro, and Adobe ® Acrobat ® to capture screenshots of the messages and headers.69

SPECIAL REPORT / JAN. 07■ Photograph newsgroup messages and headers on the screen.■ Use print screen function to capture the contents of messages and their headers andpaste each capture individually to another destination file using a program such asWordPad or Paint. Note: The print screen function will only capture what is visible.If other portions of the message are required, the screen may need to be scrolled andrecaptured.■ Print messages and headers to hardcopy form.■ Search and capture news archives for copies of messages using the methodsdescribed above.Investigative uses of bulletin boards, message boards,listservs, and newsgroupsThese technologies can be useful sources of information for an investigator. Their usemay—■ Identify additional victims. Victims may post information regarding their victimizationand seek out other victims and resources.■ Develop leads. Postings may yield information about how the subject obtainedinformation needed to commit the crime.■ Identify co-conspirators. Threads of prior postings can have biographical or otheridentifying information for co-conspirators.■ Identify and assist in proving a course of conduct. Threads of discussion can helpestablish when the criminal venture was created, how it developed, and when itconcluded. In addition, evidence of prior acts may exist in prior postings.■ Facilitate proactive investigation. Law enforcement can track postings used in ongoingcriminal activity.Legal considerationsInvestigations involving bulletin boards, message boards, listservs, and newsgroups maybe governed by the Electronic Communications Privacy Act (ECPA), the FourthAmendment, or appropriate wiretap statutes, depending on the location of the evidenceand the timing of its capture. Refer to chapter 9 for discussion of these legal issues.SummaryAlthough newer Internet communication tools are more popular today, earlier forms ofdigital communication services, including bulletin boards, message boards, listservs,and newsgroups are still in use and may be the subject of criminal investigations.70

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSBulletin Board Service users establish communication via telephone modem dial-upaccounts to remotely access the host server to read or post messages. StandardInternet trace tools may not be of use in obtaining subscriber information. The investigatormay be required to covertly access the BBS or obtain telephone records and call data.Listservs allow multiple subscribers to send bulk e-mail to all members of a group and, insome cases, listservs can allow subscribers to exchange files via a common downloadsite. A combination of Web, e-mail, and bulletin board investigative techniques may beneeded to obtain subscriber information.As is the case with many Internet-based services, subscriber information and digitalevidence are volatile. Investigators should move quickly to obtain and preserve evidence.71

Chapter 9. Legal IssuesTo ensure the admissibility of evidence for a successful prosecution and to avoid civil liability,consideration should be given to the methods and procedures of how evidence isobtained during the investigative process. Constitutional standards, statutory provisions,policies and procedures concerning investigations, and industry-specific acts govern theinvestigative process. As case law is developed and additional laws and regulations areenacted, other legal requirements may apply. For a more complete discussion of theserequirements, refer to another guide in this series, Digital Evidence in the Courtroom: AGuide for Law Enforcement and Prosecutors (www.ojp.usdoj.gov/nij/pubs-sum/211314.htm).Note: A comprehensive analysis of Federal search and seizure issues, Searching andSeizing Computers and Obtaining Electronic Evidence in Criminal Investigations, can befound at www.cybercrime.gov/s&smanual2002.htm.During Internet and network investigations it may be beneficial for the investigator tocommunicate with Internet and network service providers before serving legal process.The providers may be able to instruct the investigators on available data that would allowthe investigator to include the proper wording in the legal documents and any special circumstancesor requirements that exist. For example, certain Internet Service Providers(ISPs) have procedures in place to facilitate the issuance of and service of search warrants.Note: The investigator should be aware that service of legal process on a private companymay cause the company to notify the subject that it has received legal process to discloseinformation about the account.Preservation letters or ordersTimeliness is critical. Due to the dynamic and temporary nature of digital records, andbecause of the variability in the duration of time that records are retained by serviceproviders, investigators are encouraged to consider issuing a preservation letter underthe provisions of 18 U.S.C. § 2703(f). Generally, no regulations pertain to the retention ofrecords held by service providers. These records may be retained briefly or not at all. Theuse of a preservation letter or order may be advisable to prevent these records frombeing destroyed. Although this is a Federal statute, State and local agencies can use thisdocument to preserve digital evidence. Although preservation requests have no legallyprescribed format, usually a phone request followed by a faxed letter is sufficient. A sampleletter is provided in appendix G.18 U.S.C. § 2703(f)(1) states: “A provider of wire or electronic communication service ora remote computing service, upon the request of a governmental entity, shall take allnecessary steps to preserve records and other evidence in its possession pending theissuance of a court order or other process.”73

SPECIAL REPORT / JAN. 07Preservation letters require providers to preserve records that exist at the time the letteris received, but cannot require preservation of future information. On receipt of thepreservation letter, the provider must retain records for 90 days. Additional requests mayextend the period in increments of 90 days.SubpoenasSubpoena requirements vary widely within and between jurisdictions. Additionally, differentprivate organizations may have specific requirements. When drafting a subpoena,specifically define the evidence sought without excluding significant information. It maybe advisable to coordinate with your local prosecutor or legal advisor for specificsubpoena requirements.Search warrantsAs with subpoenas, requirements for search warrants vary within and between jurisdictions.In all cases, however, probable cause that a crime was committed and thatevidence or contraband of that crime exists in the specific location you wish to searchshould be articulated. The particular evidence or contraband to be seized should bedescribed as well. For further information on drafting a search warrant, refer to Searchingand Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations,which can be found at www.cybercrime.gov/s&smanual2002.htm. See the FourthAmendment section in this chapter for further discussion.During the execution of a search warrant, if evidence is discovered that is notdescribed in the warrant, consider obtaining an additional or amended warrant.Be cautious when using a template or boilerplate warrant as a guide. Ensure thatthe warrant fits the specifics of the investigation.Multijurisdiction issuesInternet and network investigations frequently involve communications that cross local,State, and even international boundaries. As sources of evidence are identified, determinewhether the source is located within your State, the United States, or outside theUnited States.If you have any suspicion that a source may be located overseas—and this is frequentlydifficult to discern—stop the search and consult the Computer Crimes and IntellectualProperty Section (CCIPS) of the U.S. Department of Justice. CCIPS can be reached 24hours a day at 202–514–1026.74

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSIf the evidence is located outside the United States, immediately contact the relevantcountry to seek assistance. Such contacts may be made by the investigating agency orthrough the International Network of 24-hour Points of Contact. CCIPS is the Point ofContact for the United States. The U.S. Department of Justice, Criminal Division, Officeof International Affairs (OIA) should also be advised promptly at 202–514–0000.Foreign assistance with digital evidence may include anything from preserving evidenceto immediate disclosure, depending on the facts of the case and which country isinvolved. OIA and CCIPS can advise on the best approach.Sometimes evidence may have to be obtained via a Mutual Legal Assistance Treaty orAgreement (MLAT or MLAA). 13 Such requests must go through OIA. If the United Statesand the relevant country do not have an agreement, procuring the evidence may requirethe more cumbersome letters rogatory. 14 Both of these processes are time consuming,and often the requested information will take months to receive. However, it may be possibleto procure evidence informally for investigative purposes while formal process ispursued to procure evidence in a form usable in court.Federal law affecting State and local investigatorsInvestigators, examiners, and prosecutors are encouraged to be familiar with the followingFederal requirements, as well as applicable State and local laws, policies, and procedures,because their breach may result in a suppression challenge or civil suit:■ Fourth Amendment.■ Wiretap Act.■ Pen Register and Trap and Trace Statute.■ Electronic Communications Privacy Act (also known as Stored Wire and ElectronicCommunications Section).■ Privacy Protection Act.Note: A comprehensive analysis of Federal search and seizure issues, Searching andSeizing Computers and Obtaining Electronic Evidence in Criminal Investigations, can befound at www.cybercrime.gov/s&smanual2002.htm.Fourth AmendmentSearches for digital evidence, like searches for other forms of evidence, are subject toFederal and State constitutional search and seizure laws and court rules. Traditional FourthAmendment principles, like those governing closed containers, apply to digital evidence.13A list of countries that are MLAT and MLAA participants may be found at http://travel.state.gov/mlat.html. A discussion of the MLATprocess may be found in the U.S. Attorneys’ Criminal Resource Manual.14The letters rogatory process is codified at 28 U.S.C. § 1871 et seq.75

SPECIAL REPORT / JAN. 07The Fourth Amendment protects individuals from unreasonable searches and seizures.The two primary requirements for Fourth Amendment protections to be invoked are—■ Is government action involved?■ Does the person affected have a reasonable expectation of privacy in the place or thingto be searched?If protections under the Fourth Amendment apply, then law enforcement must obtain awarrant unless an exception exists. Exceptions to securing a warrant include—■ Consent.■ Exigent circumstances.■ Search incident to arrest.■ Inventory search.■ Plain view doctrine.Although the exceptions may provide a legal basis to seize the media containingthe digital evidence (e.g., computer, CD-ROM, other storage devices), further legalprocess may be necessary to conduct a forensic examination of the seized media.Searches and seizures pursuant to warrantsIf the Fourth Amendment applies and none of the warrant exceptions exist, law enforcementagents should obtain a warrant. Generally, the same warrant rules apply whenpreparing and executing a warrant for digital evidence as for other investigations.Investigators should consider the need to justify searching the contents of the hardwareas well as seizing it. Consult legal authority for best practices within a particular jurisdiction.In preparing the affidavit for a search warrant, consider—■ What criminal offense is being investigated (e.g., e-mail threats, murder, protectionorder violation).■ Specifically where the search will take place (e.g., describe the house, address).■ What is expected to be found (e.g., hardware, storage devices, manuals, password).■ How you know it is there (e.g., trace Internet Protocol (IP) address, account names,billing information).■ Why is it relevant to the crime (e.g., instrumentality, repository, or target of the crime).76

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSAdditional considerations in the execution of a search warrant may include—■ Discovery of evidence outside the scope of the warrant.— An additional warrant may be necessary or advisable to expand the scope of the original warrant. ■ Reasonable accommodation.— Minimization of disruption of business.— Consider the return of noncontraband seized data if commingled with evidence of a crime to accommodate a reasonable request. Wiretap ActOmnibus Crime Control and Safe Streets Act of 1968, 18 U.S.C. § 2510et seq.The Wiretap Act as it applies to Internet and network investigations focuses on the interceptionof the content of communications while the communications are in transit andgoverns the disclosure of intercepted communications. Examples of such interceptionsmay include—■ Wiretapping a telephone.■ Real-time network monitoring.■ Sniffer software. To ensure compliance, determine whether— ■ The communication to be monitored is one of the protected communications definedin the statute.■ The proposed surveillance constitutes an “interception” of the communication.If both conditions are present, consult your local prosecutor or legal advisor for guidance.Note: Some States have versions of the Wiretap Act that are more restrictive than theFederal act. The Federal act does not preempt these laws unless Federal agents are conductingthe investigation. State and local law enforcement agents must comply with anysuch State act, even if there is no violation of the Federal Wiretap Act.Pen Register and Trap and Trace Statute, 18 U.S.C. § 3121 et seq.The Pen/Trap statute governs the real-time acquisition of dialing, routing, addressing,and signaling information relating to communications. The statute does not cover theacquisition of the content of communications; rather, it covers the transactional informationabout communications.77

SPECIAL REPORT / JAN. 07A pen register order authorizes the recording of outgoing connection information includingevery phone number that a specific phone dialed. A pen register order does notauthorize the collection of numbers dialed after the connection is established (e.g.,account number or PIN) because they constitute content. Conversely, a trap and traceorder authorizes the recording of incoming connection information.The Pen/Trap statute also applies to real-time capture of transactional information relatedto Internet and network communications. For example, every e-mail communicationcontains “to” and “from” information. Also, Internet/network packets may containsource and destination addresses.Note: Some States have versions of the Pen/Trap statute that are more restrictive thanthe Federal Act. The Federal Act does not preempt these laws unless Federal agentsconduct the investigation. State and local law enforcement agents must comply with anysuch State act, even if there is no violation of the Federal Pen/Trap statute. Consult thelocal prosecutor or legal advisor for further guidance.Electronic Communications Privacy ActStored Wire and Electronic Communications Section (18 U.S.C. § 2701et seq.)The stored communications chapter of the Electronic Communications Privacy Act(ECPA) provides customers and subscribers of certain communications service providerswith privacy protections. ECPA provides a higher level of privacy protection to the contentsof communications and files stored with a provider than to records detailing theuse of the service or the subscriber’s identity.ECPA may dictate what type of legal process is necessary to compel a provider todisclose specific types of customer/subscriber information to law enforcement agents.ECPA also limits what a provider may and may not voluntarily disclose to others, includingthe government.ECPA applies when a law enforcement agent seeks certain information from a providerof electronic communications service 15 or remote computing service, 16 including—■ Subscriber information.■ Transactional information.■ Content.ECPA does not apply when the agent seeks to obtain information from thecustomer/subscriber’s computer.15Section 2510(15), title 18 United States Code, defines electronic communications service as “any service which provides to usersthereof the ability to send or receive wire or electronic communications.”16Section 2711(2), title 18 United States Code, defines remote computing service as “provision to the public of computer storage or processingservices by means of an electronic communications system.”78

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSSubscriber informationLaw enforcement agents may use a subpoena, if allowed by their State law, to obtaincertain information listed in ECPA relating to the identity of a customer/subscriber, thecustomer/subscriber’s relationship with the service provider, and basic session connectionrecords. Specifically, a subpoena is effective to compel a service provider to disclosethe following information about the customer/subscriber:■ Name.■ Address.■ Local and long distance telephone connection records or records of session times anddurations.■ Length of service (including start date) and types of service utilized.■ Telephone or instrument number or other subscriber number or identity, the InternetProtocol address used to establish the account, and any temporarily assigned networkIP address.■ The means and source of payment for such service (including any credit card or bankaccount numbers).Extensive transaction-related records, such as logging information revealing the e-mailaddresses of persons with whom a customer corresponded during prior sessions, arenot available by subpoena. However, the use of a subpoena with notice can allow the discoveryof the same evidence as a 2703(d) order and should be utilized when seeking thistype of information.Note: Because providers may use different terms to describe the types of data that theyhold, it is advisable to consult with each provider about preferred language when draftingthe request to maximize the efficiency of obtaining the requested information.Transactional informationA law enforcement agent will need to obtain a court order under 18 U.S.C. § 2703(d) tocompel a provider to disclose more detailed, noncontent subscriber and session information,commonly referred to as transactional information, about the use of the services bya customer/subscriber. These records could include—■ Account activity logs that reflect what IP addresses the subscriber visited over time.■ E-mail addresses of others from whom or to whom the subscriber exchanged e-mail.Any Federal magistrate or district court with jurisdiction over the offense under investigationmay issue a 2703(d) order. State court judges authorized by the law of the State toenter orders authorizing the use of a pen/trap device may also issue 2703(d) orders. Theapplication must offer “specific and articulable facts showing that there are reasonablegrounds to believe that . . . the records or other information sought are relevant andmaterial to an ongoing criminal investigation.”79

SPECIAL REPORT / JAN. 07A law enforcement agent also can use a 2703(d) order to compel a cellular telephoneservice provider to turn over, in real time, records showing the cell-site location informationfor calls made from a subscriber’s cellular phone. This information shows more ofthe subscriber’s use of the system than that available by subpoena, but it does notinclude the content of the communications.Note: A 2703(d) order also can be used to obtain both subscriber information and transactionalinformation. Refer to Searching and Seizing Computers and Obtaining ElectronicEvidence in Criminal Investigations (www.cybercrime.gov/s&smanual2002.htm) forexamples of applications for an order under 2703(d).ContentECPA distinguishes between communications in storage that have already been retrievedby the customer or subscriber and those that have not. The statute also distinguishesbetween retrieved communications that are held by an electronic communications service,which can be public or private, and those held by a remote computing service,which only provides service to the public.Retrieved communications, unretrieved communications older than 180 days, andother files stored with a public provider—subpoena with notice or 2703(d) courtorder with notice, or search warrant. ECPA applies to stored communications that acustomer or subscriber has retrieved but left on the server of the communications serviceprovider, if the service provider offers those services to the public. Under thestatute, such a provider is considered a “remote computing service” and is not permittedto voluntarily disclose such content to the government unless certain circumstancesexist (see 18 U.S.C. § 2702(b) and 18 U.S.C. § 2701(c) for information on the “circumstances”).These communications include any files that a customer may have stored onthe public provider’s system. If the provider does not offer those services to the public,no constraints are imposed by ECPA on the right of the provider to disclose such informationvoluntarily.Note: ECPA may apply if the e-mail sought resides on the employer’s server and has notyet been retrieved by the employee. In this instance, the rules discussed under unretrievedcommunications and search warrants later in this chapter apply.Prior notice to subscriber. Law enforcement may use either a subpoena or a 2703(d)court order to compel a public service provider to disclose the contents of stored communicationsthat have been retrieved or communications that are unretrieved but havebeen on the server more than 180 days by a customer or subscriber. In both cases, lawenforcement is required to either give prior notice to the subscriber or comply withdelayed notice provisions of section 2705(a). Remember, law enforcement can alsouse a search warrant, which does not require notice to the subscriber to obtain thisinformation.Note: Section 2705(a) in ECPA allows agents to delay notice to the customer or subscriberwhen notice would jeopardize a pending investigation or endanger the life orphysical safety of an individual. However, pursuant to 2705(b), a “no-notice provision”included with the subpoena or search warrant may prevent the ISP from making disclosureto the subscriber.80

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSNote: If the investigating agency is located within the jurisdiction of the U.S. Court ofAppeals for the Ninth Circuit (California, Oregon, Washington, Arizona, Montana, Idaho,Nevada, Alaska, Hawaii, Guam, and the Northern Mariana Islands), the investigator mustuse a search warrant to compel disclosure of all communications, retrieved or unretrieved.If the investigating agency is located outside the Ninth Circuit, the investigatormay follow the traditional ECPA interpretation, under which retrieved communicationsare available pursuant to a subpoena or 2703(d) court order with notice, even if theprovider is located in the Ninth Circuit. However, investigators should be aware that manylarge providers, including AOL ® , Yahoo!®, and Hotmail ® , may only provide content informationpursuant to a search warrant based on a recent court decision, Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004).Unretrieved communications. Unretrieved communications (including voice mail) heldby the provider for 180 days or fewer have the highest level of protection available underECPA. ECPA covers such communications whether the service provider is private or public.Law enforcement may seek a search warrant to compel the production of unretrievedcommunications in storage with a service provider. No prior notice to the customer/subscriber is required if information is obtained with a search warrant. A search warrantmay also be used to obtain subscriber and transactional information.Voluntary disclosure of electronic communications–18 U.S.C. § 2702(b)(6)(C).Providers of services not available to the public may freely disclose both contents andother records relating to stored communications. ECPA imposes restrictions on voluntarydisclosures by providers of services to the public, but it also includes exceptions to thoserestrictions.ECPA provides for the voluntary disclosure of contents of electronic communicationswhen the provider “reasonably believes that an emergency involving immediate dangerof death or serious physical injury to any person requires disclosure of the informationwithout delay.”See exhibit 24 for ECPA disclosure rules.Note: Some States may have applicable laws that are more restrictive than ECPA. ECPAdoes not preempt these laws unless Federal agents are conducting the investigation.State and local law enforcement agents must comply with any such State act, even ifthere is no violation of the Federal statute.Remedy: civil damagesCivil damages are the exclusive remedy for violations of ECPA. ECPA does not contain aprovision to suppress evidence obtained in violation of the Act.81

SPECIAL REPORT / JAN. 07Exhibit 24. Disclosure rules of ECPAType ofInformationVoluntary disclosureallowed?Mechanisms to compeldisclosurePublicproviderNonpublicproviderPublicproviderNonpublicproviderBasic subscriber,session, andbillinginformation*Not to government,unless § 2702(c)exception applies[§ 2702(a)(3)]Yes[§ 2702(a)(3)]Subpoena;2703(d) order; orsearch warrant[§ 2703(c)(2)]Subpoena;2703(d) order;or search warrant§ 2703(c)(2)]Othertransactional andaccount recordsNot to government,unless § 2702(c)exception appliesYes2703(d) order orsearch warrant2703(d) order orsearch warrant[§ 2702(a)(3)] [§ 2702(a)(3)] [§ 2703(c)(1)] [§ 2703(c)(1)]Retrievedcommunications(opened e-mailand voice mail)left with providerand other storedfiles**No, unless § 2702(b)exception applies[§ 2702(a)(2)]Yes[§ 2702(a)(2)]Subpoena withnotice; 2703(d)order with notice;or search warrant[§ 2703(b)]Subpoena;ECPA doesn’tapply[§ 2711(2)]Unretrievedcommunication,including e-mailand voice mail(in electronicstorage more than180 days)**No, unless § 2702(b)exception applies[§ 2702(a)(1)]Yes[§ 2702(a)(1)]Subpoena withnotice; 2703(d)order with notice;or search warrant[§ 2703(a,b)]Subpoena withnotice; 2703(d)order with notice;or search warrant[§ 2703(a,b)]Unretrievedcommunication,including e-mailand voice mail(in electronicstorage 180 daysor fewer)No, unless § 2702(b)exception applies[§ 2702(a)(1)]Yes[§ 2702(a)(1)]Search warrant[§ 2703(a)]Search warrant[§ 2703(a)]*See 18 U.S.C. § 2703(c)(2) for listing of information covered. For telephone communications, the section includes, among other records,local and long distance connection records. For Internet connections, the section includes, among others, records of session times anddurations and IP addresses assigned to the user during the session.**For investigating agencies located within the Ninth Circuit, the content of communications may only be obtained with a searchwarrant under the Ninth Circuit’s interpretation of ECPA.Note: The information in exhibit 24 is taken from page 147 of Searching and Seizing Computers and Obtaining Electronic Evidence inCriminal Investigations, www.cybercrime.gov/s&smanual2002.htm.82

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSPrivacy Protection Act, 42 U.S.C. § 2000aa et seq.The Privacy Protection Act (PPA) limits law enforcement’s use of a search warrant tosearch for or seize certain materials possessed by a person for the purpose of public dissemination.The intent of this law is to protect publishers from having First Amendmentmaterials seized unless the individual is suspected of harboring illicit material. Generally,this act prohibits the seizure of publication materials by the use of a search warrant withsome exceptions. Normally, the government must issue a subpoena. These protectedmaterials may be either “work product” (i.e., materials created by the author/publisher)or “documentary materials” (i.e., any materials that document or support the work product).The term publisher is not limited to the traditional press and may include individualswho have an intent to publish material or have their own Web site.In assessing the impact of PPA on an investigation, the following factors should beconsidered:■ Is the material covered by PPA? PPA-covered material is of two general types:— Work-product material created for the purpose of disseminating to the public through a public form of communication, 42 U.S.C. § 2000aa-7(b). — Documentary materials possessed for the purpose of disseminating to the public through a public form of communication, 42 U.S.C. § 2000aa-7(a). ■ Is the possessor of the material covered by PPA? PPA only applies to protect publishersthat are innocent third parties. See S. Rep. No. 96-874 at p. 4 (1980). If the suspecthas commingled the publications material with the contraband, a law enforcementagent who seizes the publications material incident to the seizure of the contrabandwill not be liable under PPA. Guest v. Leis, 255 F.3d 325 (6th Cir. 2001). However, a lawenforcement agent who searches the actual publications material may be liable unlessthe search is incidental to the search for the contraband material.PPA’s prohibition on the use of a search warrant does not apply in the followingcircumstances:■ Materials searched for or seized are contraband, fruits, or instrumentalities of the crime.■ There is reason to believe that the immediate seizure of such materials is necessary toprevent death or serious bodily injury.■ Probable cause exists to believe that the person possessing the materials has committedor is committing a criminal offense to which the materials relate. (This exceptiondoes not apply where the mere possession of the materials constitutes the offenseexcept for the possession of child pornography and certain government information.)Civil damages are the exclusive remedy for violation of PPA. PPA does not contain a provisionto suppress evidence obtained in violation of the act. 1717Similar to 42 U.S.C. § 1983, an officer sued in a personal capacity is entitled to a reasonable good faith defense. 42 U.S.C. § 2000aa-6.In addition, the officer may only be sued in his or her individual capacity if the government has not waived sovereign immunity.83

SPECIAL REPORT / JAN. 07Note: For further information on PPA, consult Searching and Seizing Computers andObtaining Electronic Evidence in Criminal Investigations (www.cybercrime.gov/s&smanual2002.htm).Other considerationsPrivileged or proprietary informationIn some instances, law enforcement may have reason to believe that the place to besearched will have information that is considered “privileged” under statute or commonlaw (e.g., when searching the office of a lawyer, doctor, or member of the clergy). 18Before conducting the search, law enforcement should take care to identify the legal limitationsthat the jurisdiction may impose and comply with those limitations. Consider inadvance whether the evidence to be seized contains privileged or proprietary information.Juvenile suspectsInvestigations involving juvenile suspects are not unusual. If the suspect is a juvenile, thiscould affect a host of issues, including seizing the computer used in the crime if locatedin the parent’s home, interviewing the juvenile suspect, and charging the juvenile. If thesuspect identified is a juvenile, the investigator should be mindful of the effect that a suspect’sjuvenile status may have on the investigation.Entrapment and public authorityInternet and network investigations may, under appropriate circumstances, be conductedin a proactive stance. For example, the investigator may assume an undercover status toattempt to have the suspect distribute a contraband file to gather evidence of the suspect’sknowledge and intent to control the contraband files. An investigator should becognizant of his or her jurisdiction’s laws regarding entrapment when conducting theinvestigation in a proactive manner.Trojan programsBecause investigations involving the Internet and computer networks mean that the suspect’scomputer communicated with other computers, investigators should be awarethat the suspect may assert that the incriminating evidence was placed on the media bya Trojan program. A Trojan is a computer program that may be transferred to an unknowingindividual’s computer allowing another individual to access the computer system. Aproper seizure and forensic examination of a suspect’s hard drive may determinewhether evidence exists of the presence and use of Trojan programs.18Consider obtaining a stipulation before seizing information from the target to avoid confiscating potentially privileged or proprietaryinformation. (See appendix titled “Stipulation Regarding Evidence Returned to the Defendant,” from Digital Evidence in the Courtroom: AGuide for Law Enforcement and Prosecutors.)84

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSInvestigation of trade secret, copyrighted materials, and softwarepiracy file-sharing casesSome types of file-sharing investigations involve cases where the files themselves arelegal, but the suspect’s possession or distribution of those files is illegal. In this case theinvestigating focus will be whether—■ The suspect knew or should have known that the possession and/or distribution of thefiles was unauthorized.■ The acquisition and distribution chain of the files can be traced.Federal copyright laws 19 preempt State copyright laws; however, this does not mean thatall possible State criminal charges are preempted. Therefore, it is important to considerother applicable State statutes for prosecution such as consumer protection, deceptivetrade practice, traditional theft, or larceny statutes.SummaryConstitutional standards, statutory provisions, policies and procedures concerning investigations,and industry-specific acts govern the investigative process. This chapter brieflyaddresses some of these aspects. For a more complete discussion of legal aspectsrelating to digital evidence, refer to another guide in this series, Digital Evidence in theCourtroom: A Guide for Law Enforcement and Prosecutors (www.ojp.usdoj.gov/nij/pubs-sum/211314.htm).19Federal laws governing copyright of digital intellectual property such as music and movies and criminalizing copyright infringementinclude the Digital Millennium Copyright Act and the No Electronic Theft Act.85

Appendix A. Glossary ANI: See Automatic Number Identification.Automatic Number Identification: Aservice that provides the telephone numberof an incoming call.Backdoor: A backdoor generally circumventssecurity programs and providesaccess to a program, an online service, oran entire computer system. It can beauthorized or unauthorized, documentedor undocumented.Client: A computer or program that connectsto or requests the services of anothercomputer or program. Client also canrefer to the software that enables thecomputer or program to establish the connection.Clipboard: Temporary computer memorythat allows the user to store text andgraphics for future use.DHCP: See Dynamic Host ConfigurationProtocolDynamic Host Configuration Protocol:A service that automates the assignmentof Internet Protocol (IP) addresses on anetwork. DHCP assigns an IP addresseach time a computer is connected to thenetwork. DHCP uses the concept of a“lease” or amount of time that a given IPaddress will be valid for a specific computer.DHCP can dynamically reassign IPaddresses for networks that have arequirement for more IP addresses thanare available.Firewall: A software program or hardwaredevice that protects the resources of anetwork from unauthorized access. A firewallfilters network packets to determinewhether to forward the packets to theirrequested destination to allow access.Fully qualified domain name: Thehierarchical name of an individual hostincluding the host name along with thefull network path to that host (e.g.,adsl226.dyn996.pushme.nist.gov).Gateway: A device that passes trafficbetween networks. Typically, a gatewayphysically sits at the perimeter of an internalnetwork to the Internet.Header: Identifying information transmittedas part of the data packet or as e-mailor newsgroup routing information.Malware: Computer viruses and othersoftware designed to damage or disrupt asystem.NAT: See Network Address Translation.Network Address Translation: A servicethat allows computers on a private networkto access the Internet without requiringtheir own publicly routable Internet Protocoladdress. NAT modifies outgoing networkpackets so that the return address is a validInternet host, thereby protecting the privateaddresses from public view.Packet: A transmission unit containingboth data and a header that is routedbetween an origin and a destination ona network.87

SPECIAL REPORT / JAN. 07Point of Presence (POP): A Point ofPresence is a physical location that housesservers, routers, ATM switches, and otherdevices. Not to be confused with PostOffice Protocol.Port: A software-created access point—a“logical connection place”—for movinginformation into and out of a computer.Each communications service on a computer(e.g., FTP, e-mail, Web) is assigned aport number. Ports are numbered from 0to 65535. Ports 0 to 1023 are reserved foruse by certain privileged services.Post Office Protocol (POP): A protocolused to retrieve e-mail from a mail server.Protocol: A standard set of rules that governhow computers communicate or performa task.Proxy server: A server that acts as anintermediary between a workstation userand the Internet to facilitate security,administrative control, and caching services.A proxy server works as a gatewaythat separates a network from an outsidenetwork and as a firewall that protects thenetwork from an outside intrusion.RADIUS logs: Remote AuthenticationDial-In User Service is a method ofauthenticating remote users connecting toa network. The logs of a RADIUS serverwill provide the Internet Protocol addressor phone number of the user requestingauthentication to the network.Redirector: A device or command used toforward or route Internet traffic to anotherInternet Protocol address; sometimesused to obscure the source or destinationaddress.Router: A device that determines the nextnetwork point to which a data packetshould be forwarded to reach its destination.The router is connected to at leasttwo networks and determines which wayto send each data packet based on its currentunderstanding of the state of the networksit is connected to.Server: A computer that provides files andservices for use by other computers.Sniffer: Software that monitors networkpackets and can be used to interceptdata including passwords, credit cardnumbers, etc.Spoof: To change the identifying informationin a communication in order to hideone’s true identity.Telnet: An Internet Protocol application forinitiating a remote terminal session on anetwork.Threads: Groups of associated messagesand responses in message boards ornewsgroups.Trojan: An application that overtly doesone thing while covertly doing another.UTC: UTC has no direct word association.It means both Coordinated Universal Timein English and Temps Universel Coordonnéin French. Coordinated Universal Time isthe new worldwide time standard basedon highly accurate atomic time and usedin place of Greenwich Mean Time (GMT).UTC, like GMT, is set at 0 degrees longitudeon the prime meridian.Virus: A malicious application that bydesign spreads from one computer toanother.Wayback Machine: A historical archive ofWorld Wide Web content located atwww.archive.org.Worm: A type of virus that self-replicatesacross a network.88

Appendix B. Domain NameExtensions■ .aero (restricted to certain members of the global aviation community), sponsored bySociete Internationale de Telecommunications Aeronautiques SC (SITA).■ .biz (restricted to businesses), operated by NeuLevel.■ .com, operated by Verisign Global Registry Services.■ .coop (restricted to cooperatives), sponsored by Dot Cooperation LLC.■ .info, operated by Afilias Limited.■ .museum (restricted to museums and related persons), sponsored by the MuseumDomain Management Association (MuseDoma).■ .name (restricted to individuals), operated by Global Name Registry.■ .net, operated by Verisign Global Registry Services.■ .org, operated by Public Interest Registry.■ .pro (restricted to licensed professionals), operated by RegistryPro.Registrar contact information and descriptions are available at http://www.icann.org/registrars/accreditation-qualified-list.html.89

Appendix C. Accessing DetailedHeaders in E-Mail MessagesE-Mail Client SoftwareDisplay Detailed Header InformationAOL ®Claris Emailer ®Eudora ® (before ver. 3x)Eudora ® (ver. 3.x to ver. 6x IBM ® or Macintosh ® )GroupWise ®HotMail ®Lotus Notes ® 4.6.xLotus Notes ® R5Netscape ® 4.xxOutlook ®Outlook Express ®PINESelect Mail, select Mail Settings, select Advanced,then select Never Minimize Headers.Under Mail, select Show Long Headers.Select Tools, select Options, select Fonts & Display,then select Show all headers.Select BLAH, BLAH, BLAH button on the incoming mail message.Click “actions” and “delivery.”Select Options on the Hotmail ® Navigation Bar on the left sideof the page. On the Options page, select Preferences. Scroll downto Message Headers, and select Full.From the menu bar, select Actions, then select Delivery Information.From the menu bar, select Actions, select Tools, then selectDelivery Information.Double click on the e-mail message. Select View Headers, then select All.Double click on the e-mail in your inbox to open the message.Select View, then select Options.Open the e-mail message. From the File drop-down menu,select Properties, then select the Details tab.Turn on the header option in setup, then type “h” to get headers.Some e-mail clients do not comply with any Internet standards (e.g., cc-Mail, BeyondMail, VAX VMS) and therefore do not maintain detailed header information. It will not bepossible to obtain detailed headers from these e-mail messages.When investigating e-mail messages sent over an intranet (internal network), knowthat in many cases e-mail headers are not generated. America Online (AOL) acts asan intranet for e-mail messages that are sent from one AOL member to another AOLmember. These messages do not contain standard e-mail header information. However,an e-mail message ID may still be available.91

Appendix D. File SharingInvestigative Suggested ChecklistContraband files/data are present or criminal action took place✓ Confirm jurisdiction. ✓ Identify the suspect. ✓ Identify any screen names and how they tie to the suspect. ✓ Identify the program used. ✓ Detail how the suspect was located. ✓ Determine if any exculpatory evidence is present (Trojan, virus, etc.). ✓ Review suspect statement/interview/confession. ✓ Use traditional investigative methods and procedures. ✓ Establish intent. ✓ Consult expert if necessary.Online considerations✓ Account names/number.✓ Host information.✓ Passwords.✓ Channel/room.✓ Was FTP site active—IP routable.✓ Service being used.Documentation✓ Timelines.✓ Chain of custody—logs/files.✓ Summary.✓ Glossary.✓ Visual aids.✓ Background of suspect on Internet.✓ Good notes at each step of the investigation.✓ Appendix of evidence.✓ Photos/screen prints.93

Appendix E. Sample Subpoenasand ReportsSample 1: Subpoena for Documents When Probable CauseIs Required by State LawSTATE OF WISCONSIN )COUNTY OF _________ )S.S.THE STATE OF WISCONSIN TO:Internet Service ProviderAttn: Legal Compliance DepartmentAddressCity, State, Zip CodePursuant to Wisconsin Statutes Section 968.135, upon request of the District Attorneyand upon a showing of probable cause, you are hereby commanded to produce to theissuing court on ___________________, 2005, at _____________________ AM/PM, or inlieu of appearing in court, to make arrangements to deliver same to Detective________________ of the _________ Police Department (Fax xxx-xxx-xxxx) prior to thatdate, copies of the following records:1. All customer or subscriber account information for the e-mail accountshacker@suspect.net and suspect@hacker.net and also any accounts registered toSuspect, date of birth. For each such account the information shall include:a. The subscriber’s name;b. The subscriber’s address;c. The subscriber’s telephone number or numbers, the e-mail address oraddresses, account or login name or names, and any other informationpertaining to the identity of the subscriber, including any identification95

SPECIAL REPORT / JAN. 07numbers or credit card numbers or any other identifying informationregarding the subscriber; andd. The types of services subscribed to or utilized by the subscriber and thelengths of such services.2. The content of electronic communications not in “electronic storage” (i.e., anyand all electronic mail that has already been opened by the user) currently held ormaintained in the account associated with the address hacker@suspect.net andsuspect@hacker.net and also any other accounts registered to Suspect, sentfrom or to the above account(s) during the period of November 2004 up throughand including the date of this subpoena.3. The content of all electronic communications in “electronic storage” for morethan 180 days associated with the accounts identified above that were placed orstored in ISP computer systems in directories or files owned or controlled bysuch accounts at any time up through and including the date of this subpoena.ISP should NOT produce any unopened incoming electronic communications(i.e., electronic communications in “electronic storage”) that are less than 181days old.Failure to comply with this subpoena may result in punishment for contempt underChapter 785 of the Wisconsin Statutes.Given under my hand the 19th day of July, 2005BY THE COURT:________________________________________________________Judge96

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSSample 2: Subpoena for Documents When Probable Cause IsNot Required Under State LawIN THE CIRCUIT COURT OF THE NINTH JUDICIAL CIRCUIT IN AND FOR ORANGE COUNTY, FLORIDA IN RE: STATEWIDE PROSECUTOR:OSWP No.: 2005–0091–CFBCRIMINAL INVESTIGATION: Subpoena No.: 05–165INVESTIGATIVE SUBPOENA DUCES TECUMIN THE NAME OF THE STATE OF FLORIDA, TO ALL AND SINGULAR THE AGENTS OFTHE FLORIDA DEPARTMENT OF LAW ENFORCEMENT AND/OR THE SHERIFFS OFTHE STATE OF FLORIDA.YOU ARE COMMANDED TO SUMMON:ISP Provider Attn: _________________ Address City, State Zip Code to appear before the undersigned Assistant Statewide Prosecutor on the ___ day of ______,2005 at 1 p.m. at the Office of Statewide Prosecution, Central Florida Bureau, 135 W.Central Blvd., Suite 1000, Orlando, FL 32801, to testify truthfully in behalf of the State ofFlorida, and to bring with her the following items:Please provide us with the information of who was assigned the IP address205.188.197.57 on 05–31–05 at 12:06 AM (EST).This SUBPOENA is issued under the authority of the Circuit Court, at the request of theOffice of Statewide Prosecution, by and through the undersigned prosecuting attorney.Failure to obey this Order may be punished as contempt of court.In lieu of personal appearance, these items may be furnished on or before the abovedate by mail or personal delivery to:Chad HangingAssistant Statewide Prosecutor135 W. Central Boulevard, Suite 1000Orlando, FL 32801This subpoena is issued as part of an ongoing criminal investigation. Do notdisclose the existence of this subpoena or the State’s investigation to (YOURCUSTOMERS, SUBSCRIBERS, ETC.).IN WITNESS WHEREOF, I have set my hand hereunto, and the seal of the Court atOrlando, Florida, this_____day of May, 2005._______________________________CLERK OF THE CIRCUIT COURT97

SPECIAL REPORT / JAN. 07BY:_______________________________(Seal)Deputy ClerkClerk of the Circuit Court[Name] Statewide Prosecutor BY: Chad Hanging Assistant Statewide Prosecutor 28 West Central Boulevard, Suite 300 Orlando, FL 32801 407–555–0893 Personally served this ______ day of May, 2005By:_____________________________________In accordance with the Americans With Disabilities Act, persons with a disability whoneed special accommodations to participate in this proceeding should contact_________________, Assistant Statewide Prosecutor, not later than 10 days prior to theproceeding.98

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSSample 3: E-Mail Investigation Report______________ POLICE DEPARTMENTDate of Report: 3/26/2003 Case No: 2003–0326–1750Ref. No:Occurred Incident: 21 – Fraud Sec/Area: ABC/CENTRALDispatched as: 21 – Fraud Grid: CAPITOLCase Offense: FRAUD Addr of Occurrence: 316 Main St. Call Date/Time: 03/07/2003 09:24 From Date/Time: Dispatch Date/Time: 03/07/2003 09:25 Thru Date/Time: Reporting Officer: DET JOE FRIDAYSpecial Routing: SUSPECT JOHN DOE, III M/W, DOB: 11/22/74 (28 yrs) Height: 6’1” Weight: 175 123 WILSON ST., ANYTOWN C: 555-7789ID:BY CALIFORNIA ID CARDVICTIMEMPLOYER:SCHOOL:CONTACT:CONTACT:JANE SMITHF/W DOB: 11/05/76 (26 yrs)316 Main St. H: 555-5854XYZ Inc. IN WASHINGTON, D.C.3RD YEAR LAW STUDENTPOLLY COTTONINTERNET ASSIGNED NUMBERS AUTHORITY PH: 555–9358 MILT BRADLEYCABLE COMMUNICATIONS, INTERNET SECURITY PH: 555–5754 On 3/19/03, John Doe forwarded the following e-mail to me, advising that it was evidencethat Jane Smith had given him permission to use her First Federal checkingaccount. He told me that he had received the e-mail from Jane, and that he had forwardedit to several of his e-mail accounts to preserve it.After reviewing the e-mail, I was skeptical that it had come from Smith, due to the oddcontent, which seemed directed at deflecting responsibility from Doe. I advised Doe thatI had experience in computer-related investigations, and that I intended to trace the e-mail to its origin, to confirm or deny his claim that the e-mail had originated from Smith. Iadvised him that if the e-mail had been created by him and “spoofed” to appear that itwas from her, in order to alter the course of my investigation, further charges couldresult. He advised that he understood this, and told me, “It came from her.”99

SPECIAL REPORT / JAN. 07The content of the e-mail is as follows. The IP addresses the mail was routed throughhave been highlighted for readability:Return-Path: Received: from rly-xe02.mx.lol.com (rly-xe02.mail.lol.com [172.xx.xxx.xxx]) by airxe05.mail.lol.com(v90_r2.5) with ESMTP id MAILINXE54-0307124425; Fri, 07 Mar2003 12:44:25 -0500Received: from coolmale.com (f18.law11.coolmale.com [64.x.xx.18]) by rlyxe02.mx.lol.com(v92.16) with ESMTP id MAILRELAYINXE23-4133e68da602e0; Fri,07 Mar 2003 12:44:00 -0500Received: from mail pickup service by coolmale.com with Microsoft SMTPSVC;Fri, 7 Mar 2003 09:43:59 -0800Received: from 66.xx.xx.62 by lw11fd.law11.coolmale.com with HTTP;Fri, 07 Mar 2003 17:43:58 GMTX-Originating-IP: [66.xx.xx.62]From: “JaneSmith” To: jdoe@lol.comDate: Fri, 07 Mar 2003 12:43:58 -0500Mime-Version: 1.0Content-Type: text/htmlMessage-ID: X-OriginalArrivalTime: 07 Mar 2003 17:43:59.0916 (UTC)FILETIME=[22931EC0:01C2E4D1]X-Mailer: Unknown (No Version)JohnI am sorry that I had to take these actions against you but you left me no choice.I know I gave you my permission to endorse,deposit,and withdrawl from my checkingaccount. But I wasn’t aware that you would turn into such a different person. Idon’t know you anymore. The only reason I turned you in was to get back at you for[expletive] me over emotionally. If you would have treated me with the slightestamount of kindness I would have just let things be. This is my turn to make you feellike [expletive] and if you go to jail because of it so be it. I know you thought that Iwouldn’t do anything considering you had my permission but I think you need to feelwhat I have. I never want to see you again.JaneI began tracing the e-mail via IP addresses contained in the header portion, starting withthe bottom (which corresponds with the recipient’s IP) and moving toward the top (whichcorresponds with the sender’s IP). Using the Internet tracing tools at Geektools.com, Idiscovered the following:■ 66.xx.xx.62 by lw11fd.law11.coolmale.com is registered to Cable Communications.■ f18.law11.coolmale.com [64.x.xx.18] is registered to Coolmale.100

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKS■ rly-xe02.mail.lol.com [172.xx.xxx.xxx] is registered to the Internet Assigned NumbersAuthority (IANA) as part of a “Special Purpose” block of IP addresses.On 3/25/03 at 11:30 a.m., I contacted Polly Cotton, Security Specialist for IANA to inquireabout what the “special purpose” block of addresses was, and who it was assigned toso that I could follow up on the origin of the e-mail from that point. She advised me thatthe IANA assigns blocks of Internet addresses to Internet service providers and others allover the world. She further advised that a small portion of the IP addresses on theInternet are designated as “special purpose,” and that the purpose of these addressesvary.I provided Polly Cotton with the IP address in question, 172.xx.xxx.xxx, and she was ableto advise that this address belonged to a group of IPs known as “Private use addresses.”Cotton informed me that Private Use Addresses are intended for private Intranet (internalnetworks) use only, and are not publicly available.She advised that these addresses are commonly used for forged e-mails, as they cannotbe traced to any individual user, only to the entity that the block of IP numbers isassigned to.Cotton told me that private use address blocks are commonly assigned to Cable andBroadband Internet service providers for their internal use, and that the number shouldnot have been available publicly. She was able to confirm that the block of IP addressesthat included 172.xx.xxx.xxx was assigned to Cable Communications, and suggested thatI contact them for further information about how this IP could have been accessed andused.Contact with Cable Communications:I next contacted Milt Bradley, an Internet Security Specialist with Cable Communications.I explained the situation to him, and he confirmed that Cable holds the private use IP172.xx.xxx.xxx. He advised that the only way this number would have legitimatelyshowed up in an e-mail from Smith to Doe is if both the sender and receiver were workingfrom machines with Cable pipeline service and cable modems. He told me that if thealleged sender didn’t have Cable pipeline service at the computer the e-mail was sentfrom, she didn’t send the e-mail. He advised me that more likely, the originating informationwas spoofed, or the sender accessed the coolmale account the message was sentfrom, and sent the message to the same computer the message was received at.Contact with Jane Smith:On 3/25/03, I spoke in person with Jane Smith at the CCB detective bureau at approximately2 p.m. I asked her about her Internet service, and she advised that she has dialupservice through the Internet Service Provider LOL at her house, and occasionally usesthe university computers to check and send e-mail. I asked her more specifically abouther whereabouts on 3/7/03, at the time the e-mail was sent. After looking at the calendar,she advised that she would have been in class or between classes, and that any e-mailshe sent would have been from the university system. I asked her if she had any friendswith cable modem access to the Internet or who use Cable Communications as an ISP,and she advised that she did not that she was aware of.101

SPECIAL REPORT / JAN. 07I allowed Smith to review the e-mail forwarded to me by Doe, and she told me, “I didn’twrite that.” She then told me, “Oh, my god. He’s got access to my e-mail account.” Sheexplained that she had given Doe her e-mail password so that he could forward documentsreceived at that e-mail address to her in Virginia while she was working there.Smith advised me that she has four e-mail accounts, jsmith@coolmale.com with a passwordof ‘plado’, jsmith@lol.com with a password of ‘badger1’, jane.smith@xyzinc.comwith a password of ‘badger4’, and jsmith@university.edu with a password she doesn’tremember, as she forwards all mail from there to her personal e-mail address. She toldme at that point she suspected that Doe had accessed her e-mail account to send themessage to himself, to make it appear as if it had come from her.Smith also told me that the verbiage of the e-mail seemed to be in his voice. She told methat comments in the e-mail such as “[expletive] me over emotionally” and “This is myturn to make you feel like [expletive]” seemed to her to be “his voice.” She also told methat she is a “punctuation and grammar nazi” and would never misspell the word withdrawal,or leave out the spaces after the commas behind the words endorse, deposit,and withdrawal. She also told me that the e-mail was dated after the time she had reportedthe fraudulent activity to the police and had told John she was doing so, and she felthe was trying to undermine her credibility.Smith admitted to me that she had written some nasty things to John over e-mail and viainstant messaging, but that this e-mail was definitely not from her. She then told me,“Why would I file a report to the police saying he didn’t have my permission to do thisand then write an e-mail to him saying ‘I know I gave you my permission to endorse,deposit, and withdrawal from my checking account.’ That’s just stupid.”Investigation continuing.Supervisory Officer: _____________________________________I.D.: ________Reporting Officer: _______________________________________DETECTIVE JOE FRIDAYI.D.: ________102

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSSample 4: United States Secret Service (USSS)Memorandum ReportFrom:To:SAIC – Los Angeles Field OfficeSAIC – Criminal Investigative DivisionRAIC – London Resident OfficeInfo:Origin:Office:Case Number:Case Title:Case Type:Actual/Potential Loss:Status:Electronic Crimes Task ForcesFieldLos Angeles Field Office403–775–xxxxxx–sInternet Worm775.310 Unauthorized Computer Access That AdverselyAffects OperationsUnknown/UnknownContinuedSynopsis:On 01/03/2005, a self-replicating computer worm, called “Internet Worm,” was found onseveral computer servers belonging to the local county Information TechnologyDepartment. This worm has also infected thousands of machines across the globe byspreading itself through a known vulnerability in a “server operating system.” Each clientthen attempts to report back to several central Internet Relay Chat (IRC) servers.Two suspects have been identified, one in the United Kingdom and one in Texas.Search warrants are being prepared in both cases, which will be executed simultaneously.Case continued pending further investigation.Details of investigation:On 01/03/2005, the local county Information Technology Security Officer (ITSO) in “AnyTown USA” contacted the City Police Department and advised that they had found unauthorizedsoftware on three computers belonging to the county Information TechnologyDepartment. An investigator from the City Police responded and took custody of thethree computers. The investigator contacted Special Agent “MANN,” from the local U.S.Secret Service, who was able to respond in order to assist in a computerized forensicexamination.103

SPECIAL REPORT / JAN. 07Subsequent forensic examinations were conducted on the three computers, whichrevealed that all three were compromised by a source originating outside of the countynetwork. An electronic “worm” had exploited a known vulnerability in the operatingsystem, which the system manufacturer was aware of and attempted to address byreleasing a “patch” for this vulnerability back in June 2004.The worm operates by first finding an unpatched server, which is currently running, andthen infecting the machine by copying its exploitation toolkit to the machine. The followingdomain names are coded into the configuration files of the worm:-badguy.badguynet.uk-badguy1.badguynet.uk-badguy2.badguynet.ukThese domain names are dynamic and permit the perpetrators to changecomputers/machines.The worm attempts to connect to one of the three “Internet Relay Chat” (IRC) servers,which are pointed to by the domain names. IRC is a software program that allows usersto connect to a central server located anywhere on the Internet and chat with otherusers, who are connected to that server or any other linked server that is linked together.Chat servers can have hundreds of users and allow almost an unlimited number of“channels” or “chat rooms.” Each chat room or channel is typically created with a separatetopic or theme. Chat rooms are controlled by the first user into the channel and aredesignated as “channel operators.” Channel operators can kick people out of the chatrooms, ban users, moderate discussions, and password protect the chat room so onlypeople who know the password can enter the channel.Once a compromised computer enters the password-protected chat room on one ofthese servers, it then sits idle waiting for various commands that a suspect/perpetratormight type in the chat room. These commands will cause the compromised computer toperform a preprogrammed function, such as: delete a file; copy a file; send a file to thechannel operator; display information about the system; or even start and stop programson the computer. The worm will then create a “bounce proxy” service on the victimmachine. This proxy will permit the suspect to reroute network traffic through the victimmachine, allowing the suspect/perpetrator to communicate with any computer on thenetwork and making it appear that the network traffic is originating from the victim’scomputer.Furthermore, the worm will start to randomly scan the Internet for more vulnerableservers to infect, and the process will be repeated over and over.With this information, and continuing on 01/03/05, Special Agent MANN connected tothe badguy.badguy.uk IRC server and observed a welcome screen that said “InternetWorm Home.” The Agent was automatically entered into the chat room and he witnessedseveral hundred other victim machines connected to the server, waiting for commandsfrom the suspect(s).Special Agent MANN determined that the domain name “badguy.uk” is owned and operatedby a company named Badguy Dynamic Network Services (BGDNS), located inAnycity, USA. The company operates a domain “pointing” service that allows users to104

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSregister their home or business computer(s), which permits them to receive incomingconnections from the Internet based on a domain name. For example, when someoneconnects to badguy2.badguy.uk, they are initially connected to badguy.uk servers; butthey are also immediately redirected to the address associated with badguy2. Thebadguy.uk company will have to know the Internet Protocol (IP) address, which is theunique number of that person’s home or business computer, in order to “point” thatdomain name to their computer.Special Agent MANN contacted BGDNS, and their director of security and personnelagreed to cooperate with this investigation. BGDNS advised that one of the domainnames used by the suspects to run the IRC servers, which the compromised computersconnect to, is “badguy2.badguy.uk.” Badguy.uk provided the registration information concerningthis domain name to include the e-mail address used by the suspect(s) whenthey registered for the service, hacker@suspect.net.On 01/03/05, Special Agent MANN conducted a standard Internet search using a searchengine and found five (5) related newsgroup messages that referenced the e-mailaddress of hacker@suspect.net. All the newsgroup messages were advertisingcomputer-related items that he/she was selling on an Internet auction service. Threeof the five ended the posting with the tag “==hack==.” The messages were posted bythe unique IP address XXX.XXX.XXX.XXX within a few minutes of each other on July 20,2004, indicating that they were written by the same person.On 01/06/05, Special Agent MANN contacted an investigator with the Internet auctionservice. The investigator was able to identify a unique account from the two newsgrouppostings by examining the message that advertised the items. By taking the item number,the investigator was able to identify an account that uses the e-mail address ofsuspect@hacker.net. The investigator was also able to determine that the person whoregistered this account resides at 10 Main Street, Anytown, United Kingdom. SpecialAgent MANN was able to obtain three credit card numbers that were provided by thesuspect when he registered for the auction account. All three credit cards were issuedby “Bank of Anytown UK” and were issued in the name of suspect.On 01/07/05, Special Agent MANN also conducted a standard Internet search using anInternet search engine, which revealed approximately 50 newsgroup messages postedby the e-mail address suspect@hacker.net. Several of the messages were about hackingand breaking into computer systems. Agent MANN then used publicly available Internettools to look up the domain registration information related to hacker.net, and found thatthe domain name had been registered with fraudulent information.On 01/12/2005, Agent MANN was able to register the domain name badguy1.badguy.uk.This domain name was previously used by the suspect and is programmed into theInternet Worm as one of the IRC servers. The suspect had previously registered thisdomain name on a 30-day trial basis, which has since expired; but the domain namewas again available for anyone to utilize. Agent MANN signed up for the same free-trialservice and pointed the domain to a USSS Los Angeles Electronic Crimes Task Force(LAECTF) computer operating in an undercover capacity. In a 12-hour period, the undercovercomputer was contacted by over 5,100 computers, which attempted to connect tothe IRC server and the preprogrammed chat rooms.105

SPECIAL REPORT / JAN. 07Several hundred of these computers are owned and operated by various universities andtechnology companies throughout the world, and many belong to critical infrastructureprograms, such as telecommunication companies, educational organizations, and commercialentities. The number of computers compromised has the potential risk of allowingthe suspect(s) to initiate a severe “Distributed Denial of Service” (DDOS) attackbecause the suspect(s) has the ability to direct each compromised computer to sendcommunication packets to a specific target computer anywhere on the Internet. Thiswould cause the targeted computer to overload with communication requests and causeit to malfunction.On 01/23/05, BGDNS was able to record the IP addresses that the suspect(s) used toconnect to his Web site, in order to change where the domain names pointed. In theprevious 2 days, a subject with the login name “hacker” changed 2 domain names fora total of 11 times. With each change, the network connection came from IP addressYYY.YYY.YYY.YYY.On 01/24/05, “Company Internet Provide” complied with a grand jury subpoena andinformed Special Agent MANN that IP address YYY.YYY.YYY.YYY was assigned to customer“Suspect 2,” located at 211 Main Street, Southtown, Texas. The Internet Provideralso stated that this account was a residential account, with broadband access.On 01/27/05, Agent MANN contacted the USSS Dallas Electronic Crimes Task Force(DECTF), and informed them about the information relating to Suspect 2. The DECTFstated that it would prepare a pen register/trap and trace court order to be executed onSuspect 2’s broadband connection. The DECTF was further requested to explore thepossibility of installing a “packet sniffer” at the Internet Provider’s facilities, in order tocapture packet headers on the suspect’s Internet account.On 01/29/05, the Internet Provider agreed to allow the USSS to connect a USSS computerto its switch in Dallas. The port on the switch will be configured by the Internet Providerto monitor all Internet traffic passing to or from the Suspect 2 broadband account.In accordance with a pen register/trap and trace court order, the network monitoringcomputer will only capture Internet packet headers, to include the origin and destinationIP address and ports. The content or payload of the packets will not be captured orrecorded. The court order will be valid for 60 days from the date issued. Network monitoringwill begin as soon as possible and will continue until the court order expires ornotification is given by the Case Agent that the monitor is no longer needed.Disposition:Case continued pending further investigation.106

Appendix F. Examples of PotentialSources of Evidence in NetworkInvestigations (may be applied toother investigations)Location Potential source What you might find Who to ask firstVictim computer ■ Operating system logs■ Application logs■ Security logs■ .ini files■ Contraband files■ Date and time stamps■ User names and passwords■ Connection information■ IP addresses■ Node names■ Victim■ Network administratoror installerVictim-sidefirewall or router,Syslog server■■■■Firewall logsDHCP logsNAT/PAT logsProxy logs■ Address translations■ Date and time stamps■ User names and passwords■ Connection information■ IP addresses■ Node names■ Victim■ Network administrator orinstallerVictim ISP ■ Firewall logs■ DHCP logs■ NAT/PAT logs■ Proxy logsSource ISP ■ Firewall logs■ DHCP logs■ NAT/PAT logs■ Proxy logs■ Victim ISP■ Source ISPSource-sidefirewall, router,Syslog server■■■■Firewall logsDHCP logsNAT/PAT logsProxy logs■ Owner■ Operator■ Network administratorSource computer ■ Operating system logs■ Application logs■ Security logs■ .ini files■ Contraband files■ Date and time stamps■ User names and passwords■ Connection information■ IP addresses■ Node names■ Owner■ Operator■ Network administrator107

Appendix G. Sample Language forPreservation Request LettersUnder 18 U.S.C. § 2703(f)[Internet Service Provider][Address]VIA FAX to (xxx) xxx-xxxxDear:I am writing to [confirm our telephone conversation earlier today and to] make a formalrequest for the preservation of records and other evidence pursuant to 18 U.S.C.§ 2703(f) pending further legal process.You are hereby requested to preserve, for a period of 90 days, the records describedbelow currently in your possession, including records stored on backup media, in a formthat includes the complete record. You also are requested not to disclose the existenceof this request to the subscriber or any other person, other than as necessary to complywith this request. If compliance with this request may result in a permanent ortemporary termination of service to the accounts described below, or otherwisealert the subscriber or user of these accounts as to your actions to preserve thereferenced files and records, please contact me before taking such actions.This request applies only retrospectively. It does not in any way obligate you, nor are youbeing asked, to capture and preserve new information that arises after the date of thisrequest.This preservation request applies to the following records and evidence:A. All stored communications and other files reflecting communications to or from [EmailAccount/User name/IP Address or Domain Name (between DATE1 at TIME1 andDATE2 at TIME2)];B. All files that have been accessed by [E-mail Account/User name/IP Address or DomainName (between DATE1 at TIME1 and DATE2 at TIME2)] or are controlled by useraccounts associated with [E-mail Account/User name/IP Address or Domain Name(between DATE1 at TIME1 and DATE2 at TIME2)];C. All connection logs and records of user activity for [E-mail Account/User name/IPAddress or Domain Name (between DATE1 at TIME1 and DATE2 at TIME2)], including:1. Connection date and time;2. Disconnect date and time;109

SPECIAL REPORT / JAN. 073. Method of connection (e.g., Telnet, ftp, http);4. Type of connection (e.g., modem, cable/DSL, T1/LAN);5. Data transfer volume;6. User name associated with the connection and other connection information, includingthe Internet Protocol address of the source of the connection;7. Telephone caller identification records;8. Records of files or system attributes accessed, modified, or added by the user;9. Connection information for other computers to which the user of the [E-mail Account/User name/IP Address or Domain Name (between DATE1 at TIME1 and DATE2 atTIME2)] connected, by any means, during the connection period, including the destinationIP address, connection time and date, disconnect time and date, method ofconnection to the destination computer, the identities (account and screen names) andsubscriber information, if known, for any person or entity to which such connectioninformation relates, and all other information related to the connection from ISP or itssubsidiaries.All records and other evidence relating to the subscriber(s), customer(s), accountholder(s), or other entity(ies) associated with [E-mail Account/User name/IP Address orDomain Name (between DATE1 at TIME1 and DATE2 at TIME2)], including, withoutlimitation, subscriber names, user names, screen names or other identities, mailingaddresses, residential addresses, business addresses, e-mail addresses and other contactinformation, telephone numbers or other subscriber number or identifier number,billing records, information about the length of service and the types of services thesubscriber or customer utilized, and any other identifying information, whether suchrecords or other evidence are in electronic or other form.Any other records and other evidence relating to [E-mail Account/User name/IP Addressor Domain Name (between DATE1 at TIME1 and DATE2 at TIME2)]. Such records andother evidence include, without limitation, correspondence and other records of contactby any person or entity about the above-referenced account, the content and connectionlogs associated with or relating to postings, and communications and any other activitiesto or through [E-mail Account/User name/IP Address or Domain Name (between DATE1at TIME1 and DATE2 at TIME2)], whether such records or other evidence are in electronicor other form.Very truly yours, Signature ____________________________ Printed Name ________________________ Title__________________________________ 110

Appendix H. Sample Language for2703(d) Court Order andApplicationIN THE CIRCUIT COURT FOR THE ****** JUDICIAL CIRCUITIN AND FOR ***** COUNTY, FLORIDASTATE OF FLORIDACASE NO:vs.Defendant____________________________/APPLICATIONCOMES NOW the State of Florida, by and through the undersigned Assistant StatewideProsecutor, and hereby files, under seal, this ex parte application for an order pursuant to18 USC §2703(d) to require [Internet Service Provider], [address], to provide records andother information pertaining to the [Internet Service Provider] account that was assignedInternet Protocol address xxx.xxx.xxx.xxx on [date] and [time] est.FACTUAL BACKGROUND[Insert factual background here – probable cause]LEGAL BACKGROUND18 U.S.C. § 2703 sets out particular requirements that the state must meet in orderto obtain access to the records and other information in the possession of providers of“electronic communications services” and/or “remote computing services.” [InternetService Provider] functions both as an electronic communications service provider—thatis, it provides its subscribers access to electronic communication services, includinge-mail and the Internet—and as a remote computing service provider—it provides computerfacilities for the storage and processing of electronic communications—as thoseterms are used in 18 U.S.C. § 2703. [Note that because a “remote computing service”is public by definition, this statement must be modified if you are seekinginformation from a service provider who is not a provider to the public, such as,for example, a university.]Here, the state seeks to obtain three categories of records: (1) basic subscriber information;(2) records and other information, including connection logs, pertaining to certainsubscribers; and [Add only if the application seeks to obtain the contents of communications(such as e-mails) pursuant to § 2703(b), as opposed to mere records111

SPECIAL REPORT / JAN. 07pursuant to § 2703(c).] (3) the content of electronic communications in a remote computingservice (but not communications in electronic storage 20 ).To obtain basic subscriber information, such as the subscriber’s name, address, billinginformation, and other identifying records, the state needs only a subpoena; however,the state may also compel such information through an order issued pursuant to section2703(d). See 18 U.S.C. § 2703(c)(1)(C). To obtain other types of records and informationpertaining to the subscribers or customers of service providers, including connectionlogs and other audit information, the state must comply with the dictates of sections2703(c)(1)(B) and 2703(d). Section § 2703(c)(1)(B) provides in pertinent part:A provider of electronic communication service or remote computing serviceshall disclose a record or other information pertaining to a subscriber to or customerof such service (not including the contents of communications covered bysubsection (a) or (b) of this section) to a governmental entity only when the governmentalentity . . . obtains a court order for such disclosure under subsection(d) of this section;[Add only if the application seeks to obtain the contents of communications(such as e-mails) pursuant to § 2703(b), as opposed to mere records pursuant to§ 2703(c).] To obtain the contents of electronic communications held by a remote computingservice (but not the contents in “electronic storage,” see n.1), the state mustcomply with 2703(b)(1)(B), which provides, in pertinent part:A governmental entity may require a provider of remote computing service todisclose the contents of any electronic communication to which this paragraph ismade applicable by paragraph 2 of this subsection . . . with prior notice from thestate entity to the subscriber or customer if the governmental entity . . . obtainsa court order for such disclosure under subsection (d) of this section . . . . exceptthat delayed notice may be given pursuant to section 2705 of this title.Paragraph 2 of subsection 2703(b) applies with respect to any electronic communicationthat is held or maintained on a remote computing service—(A) on behalf of, and received by means of electronic transmission from (or createdby means of computer processing of communications received by means ofelectronic transmission from), a subscriber or customer of such remote computingservice; and(B) solely for the purpose of providing storage or computer processing servicesto such subscriber or customer, if the provider is not authorized to access thecontents of any such communications for purposes of providing any servicesother than storage or computer processing.Therefore, communications described by paragraph 2 of subsection 2703(b) includethe content of electronic mail that has been opened, viewed, downloaded, or otherwiseaccessed by the recipient and is held remotely by the service provider on its computers.20“Electronic storage” is a term of art, specifically defined in 18 U.S.C. § 2510(17) as “(A) any temporary, intermediate storage of a wireor electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electroniccommunication service for purposes of backup protection of such communication.” The state does not seek access to any such materials.112

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSAll of the information the state seeks from [Internet Service Provider] through thisapplication may be compelled through an order that complies with section 2703(d).Section 2703(d) provides in pertinent part:A court order for disclosure under subsection (b) or (c) may be issued by anycourt that is a court of competent jurisdiction described in section 3127(2)(A) 21and shall issue only if the governmental entity offers specific and articulablefacts showing that there are reasonable grounds to believe that the . . . recordsor other information sought, are relevant and material to an ongoing criminalinvestigation. . . . A court issuing an order pursuant to this section, on a motionmade promptly by the service provider, may quash or modify such order, if theinformation or records requested are unusually voluminous in nature or compliancewith such order otherwise would cause an undue burden on such provider.Accordingly, this application sets forth facts showing there are reasonable groundsto believe that the materials sought are relevant and material to the ongoing criminalinvestigation.REQUESTED INFORMATIONThe state requests that [Internet Service Provider] be directed to produce all recordsdescribed in Attachment 1 to this Application. This information is directly relevant to identifyingthe individual(s) responsible for the crime under investigation. The informationrequested should be readily accessible to [Internet Service Provider] by computer search,and its production should not prove to be unduly burdensome. [Undersigned shouldcheck with the ISP before filing this document to ensure the accuracy of thisstatement.]The state requests that this Application and Order be sealed by the Court until suchtime as the court directs otherwise.The State of Florida further requests that pursuant to the preclusion of notice provisionsof 18 U.S.C. § 2705(b), that [Internet Service Provider] be ordered not to notify anyperson (including the subscriber or customer to which the materials relate) of the existenceof this order for such period as the court deems appropriate. The State of Floridasubmits that such an order is justified because notification of the existence of this ordercould seriously jeopardize the ongoing investigation. Such a disclosure could give thesubscriber an opportunity to destroy evidence, notify confederates, or flee or continuehis flight from prosecution.[Add only if the application seeks to obtain the contents of communications pursuantto § 2703(b), as opposed to mere records pursuant to § 2703(c).] The State ofFlorida further requests, pursuant to the delayed notice provisions of 18 U.S.C. § 2705(a),an order delaying any notification to the subscriber or customer that may be required by§ 2703(b) to obtain the contents of communications, for a period of 90 days. Providingprior notice to the subscriber or customer could seriously jeopardize the ongoing investigation,as such a disclosure would give the subscriber an opportunity to destroy evidence,change patterns of behavior, notify confederates, or flee or continue his flightfrom prosecution. [Optional Baker Act language to use if the ISP is a university:TheState of Florida further requests that [Internet Service Provider]’s compliance with2118 USC § 3127(2) defines the term “court of competent jurisdiction” as “(A) any district court of the United States (including a magistratejudge of such a court) or any United States court of appeals having jurisdiction over the offense being investigated; or (B) a court ofgeneral criminal jurisdiction of a State authorized by the law of that State to enter orders authorizing the use of a pen register or a trapand trace device.” Because 18 USC § 2703(d) expressly permits “any” such court to issue an order, this court may enter an order directingthe disclosure of such information even if the information is stored outside of this judicial circuit.113

SPECIAL REPORT / JAN. 07the delayed notification provisions of this Order shall be deemed authorized under20 U.S.C. § 1232g(b)(1)(j)(ii) (the “Baker Act”). See 34 CFR § 99.31(a)(9)(i) (exemptingrequirement of prior notice for disclosures made to comply with a judicial orderor lawfully issued subpoena where the disclosure is made pursuant to “any othersubpoena issued for a law enforcement purpose and the court or other issuingagency has ordered that the existence or the contents of the subpoena or the informationfurnished in response to the subpoena not bedisclosed”)].WHEREFORE, it is respectfully requested that the Court grant the attached Order, (1)directing [Internet Service Provider] to provide the State of Florida with the records andinformation described in Attachment 1; (2) directing that the Application and Order besealed; (3) directing [Internet Service Provider] not to disclose the existence or content ofthe Order, except to the extent necessary to carry out the Orders; and [Use only if theapplication seeks to obtain the contents of communications pursuant to § 2703(b)](4) directing that the notification by the state otherwise required by 18 U.S.C. § 2703(b)be delayed for ninety days.Respectfully Submitted,___________________________Assistant Statewide Prosecutor114

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSATTACHMENT 1You are to provide the following information as printouts and as ASCII data files:A. All customer or subscriber account information for any accounts registered to__________, or associated with __________ . For each such account, the informationshall include:1. The subscriber’s account and login name(s);2. The subscriber’s address;3. The subscriber’s telephone number or numbers;4. The subscriber’s e-mail address;5. Any other information pertaining to the identity of the subscriber, including, but notlimited to billing information (including type and number of credit cards, studentidentification number, or other identifying information).B. User connection logs for:(1) all accounts identified in Part A, above,(2) the IP address [xxx.xxx.xxx.xxx], for the time period beginning ____ through andincluding the date of this order, for any connections to or from ____.User connection logs should contain the following:1. Connection time and date;2. Disconnect time and date;3. Method of connection to system (e.g., SLIP, PPP, Shell);4. Data transfer volume (e.g., bytes);5. Connection information for other systems to which user connected via, including:a. Connection destination;b. Connection time and date;c. Disconnect time and date;d. Method of connection to system (e.g., Telnet, ftp, http);e. Data transfer volume (e.g., bytes).C. [Add only if the application seeks to obtain the contents of communications(such as e-mails) pursuant to § 2703(b), as opposed to mere records pursuant to§ 2703(c).] The contents of electronic communications (not in electronic storage 22 ) thatwere placed or stored in directories or files owned or controlled by the accounts identifiedin Part A at any time after [date] up through and including the date of this Order.22“Electronic storage” is a term of art, specifically defined in 18 U.S.C. § 2510(17) as “(A) any temporary, intermediate storage of a wireor electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electroniccommunication service for purposes of backup protection of such communication.” The government does not seek access to any suchmaterials.115

Appendix I. Technical Resources List National resourcesBureau of Alcohol,Tobacco, Firearmsand Explosiveswww.atf.govNational White Collar Crime Center1000 Technology Drive, Suite 2130Fairmont, WV 26554Phone: 877–628–7674http://www.nw3c.orgOffice of Juvenile Justice andDelinquency PreventionInternet Crimes Against ChildrenProgram810 Seventh Street N.W.Washington, DC 20001Phone: 202–616–7323http://www.ojp.usdoj.gov/ojjdpSEARCH Group, Inc.The National Consortium for JusticeInformation and Statistics7311 Greenhaven Drive, Suite 145Sacramento, CA 95831Phone: 916–392–2550http://www.search.orgU.S. Department of Defense CyberCrime Center911 Elkridge Landing Road, Suite 300Linthicum, MD 21090Phone: 410–981–1627/877–981–3235http://www.dc3.mil/dc3/home.htmU.S. Department of Homeland SecurityBureau of Immigration and CustomsEnforcement Cyber Crimes Center (C3)11320 Random Hills Road, Suite 400Fairfax, VA 22030Phone: 703–293–8005U.S. Secret Service Electronic CrimesTask Forcehttp://www.ectaskforce.org/Task Force Regional LocationsBay Area Electronic Crimes Task Force345 Spear StreetSan Francisco, CA 94105Phone: 415–744–9026Fax: 415–744–9051Chicago Electronic Crimes Task Force525 West Van BurenChicago, IL 60607Phone: 312–353–5431Fax: 312–353–1225Cleveland Electronic Crimes Task Force6100 Rockside Woods BoulevardCleveland, OH 44131–2334Phone: 216–706–4365Fax: 216–706–4445Dallas N-Tec Electronic Crimes TaskForce125 East John W. CarpenterIrvine, TX 75062–2752Phone: 972–868–3200Houston HITEC Electronic Crimes TaskForce602 Sawyer StreetHouston, TX 77007Phone: 713–868–2299Fax: 713–868–5093117

SPECIAL REPORT / JAN. 07Las Vegas Electronic Crimes Task Force600 Las Vegas Boulevard South, Suite 700Las Vegas, NV 89101Phone: 702–388–6571Fax: 702–388–6668Los Angeles Electronic Crimes Task Force725 South Figueroa Street, 13th FloorLos Angeles, CA 90017–5418Phone: 213–894–4830(General Office for USSS)Phone: 213–533–4650(Direct Phone for ECTF)Metro-Charlotte Electronic/FinancialCrimes Task ForceOne Fairview Center6302 Fairview RoadCharlotte, NC 28210Phone: 704–442–8370Fax: 704–442–8369Miami Electronic Crimes Task Force10350 N.W. 112 AvenueMiami, Florida 33178Phone: 305–863–5000New England Electronic Crimes TaskForceTip O’Neil Federal Building10 Causeway Street, Room 791Boston, MA 02222Phone: 617–565–6640Fax: 617–565–5659New York Electronic Crimes Task Force335 Adams Street, 32nd FloorBrooklyn, NY 11201Phone: 718–625–7135Fax: 718–625–3919South Carolina Electronic Crimes TaskForce107 Westpark Boulevard, Suite 301Columbia, SC 29210Phone: 803–772–4015Washington-Metro Electronic CrimesTask Force1100 L Street N.W.Washington, DC 20003Phone: 202–406–8000Fax: 202–406–8803State resourcesThe U.S. Department of Justice has createdthe Computer and TelecommunicationCoordinator (CTC) Program. Each UnitedStates Attorney’s Office (USAO) has designatedat least one CTC. This list and contactinformation can be found at:http://www.cybercrime.gov/CTClist.htm.The American Prosecutors ResearchInstitute (APRI) is the research, training,and technical assistance affiliate of theNational District Attorneys Association.The 50 State Peer-to-Peer TechnicalAssistance Network (P2PTAN) comprisesState and local prosecutors whoare involved in prosecuting high-techand computer-related crime and hasbeen compiled for use by law enforcementofficers and prosecutors. This listand contact information can be foundat: http://www.ndaa-apri.org/pdf/7_8_04_point_of_contact.pdf.AlabamaAlabama Bureau of InvestigationInternet Crimes Against Children Unit716 Arcadia CircleHuntsville, AL 35801Phone: 800–228–7688E-mail: info@dps.state.al.ushttp://www.dps.state.al.us/public/abi/icac/Alabama Bureau of Investigation3402 Demetropolis RoadMobile, AL 36693Phone: 251–660–2350http://www.dps.state.al.us/public/abi/icac118

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSHomewood Police Department1833 29th Avenue SouthHomewood, AL 35209Phone: 205–877–8637Hoover Police DepartmentFBI Innocent Images Task Force,Birmingham100 Municipal DriveHoover, AL 35216Phone: 205–444–7700Office of the Attorney GeneralPublic Corruption and White CollarCrime Division11 South Union StreetMontgomery, AL 36130Phone: 334–353–8494AlaskaAlaska State TroopersWhite Collar Crime Section5700 East Tudor RoadAnchorage, AK 99507Phone: 907–269–5627http://www.dps.state.ak.us/ast/abi/WhiteCollar.aspAnchorage Police Department4501 South Bragaw StreetAnchorage, AK 99507–1599Phone: 907–786–8500E-mail: wwapd@ci.anchorage.ak.usUniversity of Alaska at Fairbanks PoliceDepartmentP.O. Box 755560Fairbanks, AK 99775Phone: 907–474–7721ArizonaMaricopa County Attorney’s OfficeTechnology and Electronic Crimes Bureau301 West Jefferson Street, Fifth FloorPhoenix, AZ 85003Phone: 602–506–0139Office of the Attorney GeneralTechnology Crimes Unit1275 West Washington StreetPhoenix, AZ 85007Phone: 602–542–3881Fax: 602–542–5997E-mail: ag.inquiries@azag.govhttp://www.azag.gov/cybercrime/Phoenix Police Department620 West Washington StreetPhoenix, AZ 85003Phone: 602–495–0483http://www.ci.phoenix.az.us/POLICE/ArkansasArkansas State PoliceCrimes Against Children Division#1 State Police Plaza DriveLittle Rock, AR 72209Phone: 501–618–8386http://www.asp.state.ar.us/divisions/cac/cac_administration.htmlOffice of the Attorney GeneralConsumer Protection Division323 Center Street, Suite 200Little Rock, AR 72201Phone: 501–682–2007University of Arkansas at Little RockPolice Department2801 South University AvenueLittle Rock, AR 72204Phone: 501–569–8793/501–569–8794CaliforniaBureau of Medi-Cal Fraud and ElderAbuse110 West A Street, Suite 1100San Diego, CA 92101Phone: 619–645–2432Fax: 619–645–2455119

SPECIAL REPORT / JAN. 07California Bureau of Investigation3046 Prospect Park Drive, Unit 1Rancho Cordova, CA 95760Phone: 916–464–2001California Franchise Tax BoardInvestigations Bureau100 North Barranca Street, Suite 600West Covina, CA 91791–1600Phone: 626–859–4678Computer And Technology Crime High-Tech Response TeamC.A.T.C.H.330 West Broadway, Suite 700San Diego, CA 92101http://www.catchteam.org/Kern County Sheriff’s Department1350 Norris RoadBakersfield, CA 93308Phone: 661–391–7500sheriff@co.kern.ca.usLos Angeles Police DepartmentComputer Crime Unit150 North Los Angeles StreetLos Angeles, CA 90012Phone: 877–275–5273E-mail: lapdonline@earthlink.nethttp://www.lapdonline.org/Modesto Police Department600 10th StreetModesto, CA 95353Phone: 209–572–9500Northern California ComputerCrime Task Force455 Devlin DriveNapa, CA 94559Phone: 707–253–4500http://www.nc3tf.orgOffice of the Attorney GeneralCalifornia Department of Justice1300 I Street, Suite 1101Sacramento, CA 94244–2550Phone: 916–445–9555Office of the Attorney GeneralCalifornia Department of Justice455 Golden Gate, Suite 11000San Francisco, CA 94102Phone: 415–703–1372(Supports the REACT task force in SantaClara County/Silicon Valley)Office of the Attorney GeneralCalifornia Department of Justice455 Golden Gate, Suite 11000San Francisco, CA 94102Phone: 415–703–5868(Supports the North Bay Task Force coveringthe SF Bay area)Office of the Attorney GeneralCalifornia Department of Justice110 West A Street, Suite 1100San Diego, CA 92101Phone: 619–645–2823(Supports the San Diego Regional TaskForce and RCFL)Regional Computer Forensic Laboratoryat San Diego9797 Aero DriveSan Diego, CA 92123–1800Phone: 858–499–7799Fax: 858–499–7798E-mail: rcfl@rcfl.orghttp://www.rcfl.orgSacramento County Sheriff’s OfficeInternet Crimes Against Children TaskForce711 G StreetSacramento, CA 95814Phone: 916–874–3030http://www.sachitechcops.org/children.htmSacramento Valley Hi-Tech Crimes TaskForceHi-Tech Crimes DivisionSacramento County Sheriff’s DepartmentP.O. Box 988Sacramento, CA 95812–0998Phone: 916–874–3002E-mail: info@sachitechcops.orghttp://www.sachitechcops.org/120

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSSan Diego High Technology CrimesEconomic Fraud DivisionDistrict Attorney’s Office, County of SanDiego330 West BroadwaySan Diego, CA 92101Phone: 619–531–4040Fax: 619–237–1351E-mail: publicinformation@sdcda.orghttp://www.sdcda.org/protecting/hightech.phpSan Diego Police DepartmentInternet Crimes Against Children TaskForce9630 Aero DriveSan Diego, CA 92123Phone: 858–573–0689E-mail: sdicac@sdicac.orghttp://www.sdicac.org/San Diego Regional Computer ForensicLaboratory Office9737 Aero Drive (street address)San Diego, CA 921239797 Aero Drive (mailing address)San Diego, CA 92123Phone: 858–499–7799Fax: 858–499–7798E-mail: rcfl@rcfl.orghttp://www.sdrcfl.org/San Jose Police DepartmentSilicon Valley Internet Crimes AgainstChildren Task Force201 West Mission StreetSan Jose, CA 95110Phone: 408–277–4102E-mail: info@svicac.orghttp://www.svicac.org/Silicon Valley High Tech Crime TaskForceRapid Enforcement Allied Computer Team(REACT)c/o Federal Bureau of InvestigationREACT TASK FORCE950 South Bascom Avenue, #3011San Jose, CA 95128Phone: 408–494–7186Fax: 408–292–6375E-mail: reactsj@reacttf.orghttp://www.reacttf.org/Silicon Valley Regional ComputerForensic Laboratory Office4600 Bohannon Drive, Suite 200Menlo Park, CA 94025Phone: 408–795–4314http://www.svrcfl.org/Southern California High TechnologyCrime Task ForceCommercial Crimes BureauLos Angeles County Sheriff’s Department11515 South Colima Road, Room M104Whittier, CA 90604Phone: 562–946–7942U.S. Customs ServiceComputer Investigative Specialist3403 10th Street, Suite 600Riverside, CA 92501ColoradoColorado Department of Public SafetyColorado Bureau of Investigation690 Kipling Street, Suite 3000Denver, CO 80215Phone: 303–239–4679Fax: 303–274–0217E-Mail: cbi.denver@cdps.state.co.usColorado Springs Police DepartmentInternet Crimes Against Children TaskForce705 South Nevada AvenueColorado Springs, CO 80903Phone: 719–444–7541http://www.springsgov.com/Page.asp?NavID=1480121

SPECIAL REPORT / JAN. 07Denver District Attorney’s Office303 West Colfax Avenue, Suite 1300Denver, CO 80204Phone: 720–913–9000http://www.denverda.org/Denver Police DepartmentComputer Crimes Investigations Unit1331 Cherokee StreetDenver, CO 80204Phone: 720–913–6168Office of the Attorney General1525 Sherman Street, Seventh FloorDenver, CO 80203Phone: 303–866–5494Rocky Mountain Regional ComputerForensic Laboratory Office1961 Stout Street, Suite 1823Denver, CO 80294Phone: 303–629–7171http://www.rmrcfl.org/ConnecticutConnecticut Department of Public SafetyDivision of Scientific ServicesForensic Science LaboratoryComputer Crimes and ElectronicEvidence Unit278 Colony StreetMeriden, CT 06451Phone: 203–639–6492Fax: 203– 639-6485http://www.state.ct.us/dps/Connecticut Department of RevenueServicesSpecial Investigations Section25 Sigourney StreetHartford, CT 06106Phone: 860–297–5877Fax: 860–297–5625E-mail: DRS@po.state.ct.usConnecticut State PoliceComputer Crimes and ElectronicEvidence Unit278 Colony StreetMeriden, CT 06451Phone: 203–639–6492http://www.state.ct.us/dpsOffice of the Chief State’s Attorney300 Corp. PlaceRocky Hill, CT 06067Phone: 860–258–5800Yale University Police Department98–100 Sachem StreetNew Haven, CT 06511Phone: 203–432–7958http://www.yale.edu/police/department.html#ITS/DelawareDelaware State PoliceHigh Technology Crimes Unit1575 Mckee Road, Suite 204Dover, DE 19904Phone: 302–739–5901Fax: 302–739–1398http://www.state.de.us/dspNew Castle County Police DepartmentCriminal Investigations Unit3601 North DuPont Highway(street address)New Castle, DE 1972087 Reads Way (mailing address)New Castle, DE 19720Phone: 302–395–8110Office of the Attorney GeneralCriminal Division820 North French Street, Seventh FloorWilmington, DE 19801Phone: 302–577–8500122

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSUniversity of Delaware PoliceDepartment101 MOB700 Pilottown RoadLewes, DE 19958Phone: 302–831–2222E-mail: publicsafety@udel.eduhttp://128.175.24.251/District of ColumbiaMetropolitan Police DepartmentSpecial Investigations DivisionComputer Crimes and Forensics Unit300 Indiana Avenue N.W., Room 3016Washington, DC 20001Phone: 202–727–7003FloridaBroward County Sheriff’s Office2601 West Broward BoulevardFt. Lauderdale, FL 33312Phone: 954–888–5256E-mail: www.leachtaskforce@sheriff.orghttp://www.sheriff.orgFlorida Atlantic University PoliceDepartment777 Glades Road, #69Boca Raton, FL 33431Phone: 561–297–3500Fax: 561–297–3565Florida Department of LawEnforcementComputer Crime CenterP.O. Box 1489Tallahassee, FL 32302Phone: 850–410–7060Institute of Police Technology andManagementComputer Forensics LaboratoryUniversity of North Florida12000 Alumni DriveJacksonville, FL 32224–2678Phone: 904–620–4786Fax: 904–620–2453http://www.iptm.org/crim.htm#026119Office of Statewide ProsecutionHigh Technology Crimes135 West Central Boulevard, Suite 1000Orlando, FL 32801Phone: 407–245–0893Fax: 407–245–0356http://myfloridalegal.com/pages.nsf/4492D797DC0BD92F85256CB80055FB97/18A7753257FE439085256CC9004EC4F7?OpenDocumentPinellas County Sheriff’s Office10750 Ulmerton RoadLargo, FL 33778Phone: 727–582–6200GeorgiaGeorgia Bureau of InvestigationFinancial Investigations Unit3121 Panthersville RoadP.O. Box 370808Decatur, Georgia 30037–0808Phone: 404–212–4050http://www.ganet.org/gbiOffice of the Attorney General40 Capital Square135 State Judicial BuildingAtlanta, GA 30334–1300Phone: 404–656–5959Gainesville Police DepartmentP.O. Box 1250721 North West Sixth StreetGainesville, FL 32602Phone: 352–334–2561/352–334–2488http://www.gainesvillepd.org123

SPECIAL REPORT / JAN. 07HawaiiHawaii Department of the AttorneyGeneral425 Queen StreetHonolulu, HI 96813Phone: 808–586–1171/808–586–1240Hawaii Department of the AttorneyGeneralHawaii Internet Crimes Against ChildrenTask Force235 South Beretania Street, 16th FloorHonolulu, HI 96813Phone: 808–587–4114E-mail: atg_icac@hawaii.govhttp://www.hawaii.gov/ag/hicac/index.htmHonolulu Police DepartmentWhite Collar Crime Unit801 South Beretania StreetHonolulu, HI 96819Phone: 808–529–3112IdahoAda County Sheriff’s Office7200 Barrister DriveBoise, ID 83704Phone: 208–377–6691Office of the Attorney GeneralCriminal Division700 West Jefferson Street, Room 210Boise, ID 83720Phone: 208–332–3096IllinoisChicago Regional Computer ForensicLaboratory Office610 South Canal StreetChicago, IL 60607Phone: 312–913–9270Fax: 312–913–9408http://www.chicagorcfl.org/Illinois State PoliceComputer Crimes Investigation UnitDivision of OperationsOperational Services CommandStatewide Special Investigations Bureau500 Illes Park Place, Suite 104Springfield, IL 62703Phone: 217–785-0631Fax: 217–785–6793Illinois State PoliceComputer Crimes Investigation Unit9511 West Harrison StreetDes Plaines, IL 60016–1562Phone: 847–294–4400Office of the Attorney GeneralHigh Tech Crimes Bureau100 West Randolph Street, 12th FloorChicago, IL 60601Phone: 312–814–3762State of Illinois High Tech Crimes Networkhttp://www.hightechcrimes.net/Tazewell County State’s Attorney CIDRegional Computer Crime EnforcementGroup, Team 1342 Court Street, Suite 6Pekin, IL 61554–3298Phone: 309–477–2205, ext. 400Fax: 309–477–2205IndianaEvansville Police Department15 N.W. Martin Luther King, Jr. BoulevardEvansville, IN 47708Phone: 812–436–7995/812–436–7994http://www.evansvillepolice.com/computer_department.htmIndiana State PoliceNorth Central Indiana CyberCrimeInvestigations501 South Adams StreetMarion, IN 46953Phone: 765–662–9864E-mail: cybercrime@grantcounty.nethttp://operations.grant.in.uinquire.us/nxweb.exe?PAGEID=0013124

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSIndiana State PoliceGovernment Center North100 North Senate, Room 314Indianapolis, IN 46204Phone: 317–247–1852http://www.in.gov/isp/bci/criminal/special.htmlIndianapolis Police DepartmentTraining Academy901 North Post Road, Room 115Indianapolis, IN 46219Phone: 317–327–3461E-mail: vulcan@netdirect.nethttp://www.indygov.org/eGov/City/DPS/IPD/Enforcement/Investigations/org-crime.htmMarion Police DepartmentComputer Crime Investigations andForensic Lab301 South Branson StreetMarion, IN 46952Phone: 765–662–9981Office of the Attorney General402 West Washington StreetIndianapolis, IN 46204Phone: 317–232–6239IowaIowa Division of Criminal Investigation502 East Ninth StreetDes Moines, IA 50319Phone: 515–281–3666Fax: 515–242-6297Office of the Attorney General1305 East Walnut StreetDes Moines, IA 50319Phone: 515–281–5164KansasKansas Bureau of InvestigationHigh Technology Crime Investigation Unit1620 S.W. Tyler StreetTopeka, KS 66612–1837Phone: 785–296–8222Fax: 785–296–0525Olathe Police Department501 East 56 HighwayOlathe, KS 66061Phone: 913–782–4500Sedgwick County Sheriff’s Office130 South MarketWichita, KS 67202Phone: 316–337–6562http://www.sedgwickcounty.org/emcuWichita Police DepartmentForensic Computer Crimes Unit455 North Main, Sixth Floor LabWichita, KS 67202Phone: 316–337–6552E-mail: forensics@kscable.comKentuckyBoone County SheriffP.O. Box 198Burlington, KY 41005Phone: 859–334–2175Kentucky State Police1240 Airport RoadFrankfort, KY 40601Phone: 502–226–2160http://www.kentuckystatepolice.orgOffice of the Attorney GeneralSpecial Prosecutions Division1024 Capitol Center DriveFrankfort, KY 40601Phone: 502–696–5337LouisianaGonzales Police Department120 South Irma BoulevardGonzales, LA 70737Phone: 225–647–2841Fax: 225–647–9544E-mail: vsmith@leo.gov125

SPECIAL REPORT / JAN. 07Louisiana Department of JusticeHigh Technology Crime UnitP.O. Box 94095Baton Rouge, LA 70804Phone: 225–342–7552E-mail: HTCU@ag.state.la.ushttp://www.ag.state.la.us/HighTech.aspxLouisiana Department of JusticeLouisiana Internet Crimes Against ChildrenTask Force339 Florida Street, Suite 402Baton Rouge, LA 70801Phone: 225–342–0921http://www.ag.state.la.us/icac.aspxMaineMaine Computer Crimes Task Force171 Park StreetLewiston, ME 04240Phone: 207–784–6422Maine Computer Crimes Task Force15 Oak Grove RoadVassalboro, ME 04989Phone: 207–877–8081Office of the Attorney GeneralComputer Crimes Task Force44 Oak Street, 4th FloorPortland, ME 04101Phone: 207–626–8800MarylandAnne Arundel County Police DepartmentComputer Crimes Unit41 Community PlaceCrownsville, MD 21032Phone: 410–222–3419Fax: 410–987–7433Maryland Department of State PoliceComputer Crimes UnitUnit Commander7155–C Columbia Gateway DriveColumbia, MD 21046Phone: 410–290–1620Fax: 410–290–1831http://ccu.mdsp.org/home.htmMaryland Department of State PoliceInternet Crimes Against ChildrenTask Force7155 Columbia Gateway DriveColumbia, MD 21046Phone: 410–977–4519E-mail: icac@mdsp.orghttp://icac.mdsp.orgMontgomery County PoliceComputer Crime Unit2350 Research BoulevardRockville, MD 20850Phone: 301–840–2590E-mail: CCU@co.mo.md.ushttp://www.montgomerycountymd.gov/poltmpl.asp?url=/Content/POL/ask/ computerCrimes.asp Office of the Attorney GeneralCriminal Investigations Division200 South Paul PlaceBaltimore, MD 21202Phone: 410–576–6380MassachusettsMassachusetts State Police340 West Brookfield RoadNew Braintree, MA 01531Phone: 508–867–1080Office of the Attorney GeneralHigh Tech and Computer Crime DivisionOne Ashburton PlaceBoston, MA 02108Phone: 617–727–2200http://www.ago.state.ma.us/sp.cfm?pageid=1198126

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSMichiganMichigan Department of the AttorneyGeneralHigh Tech Crime Unit18050 DeeringLivonia, MI 48152Phone: 734–525–4151Fax: 734–525–4372http://www.michigan.gov/agMichigan State PoliceInternet Crimes Against ChildrenTask Force4000 Collins RoadLansing, MI 48909Phone: 517–336–6444http://www.michigan.gov/ag/0,1607,7-164­17334_18155-46048—,00.htmlOakland County Sheriff’s DepartmentComputer Crimes Unit1201 North Telegraph RoadPontiac, MI 48341Phone: 248–858–4942Fax: 248–858–9565E-mail: ocso@oakgov.comhttp://www.oakgov.com/sheriffMinnesotaDepartment of Public SafetyBureau of Criminal Apprehension1246 UniversitySt. Paul, MN 55104–4197Phone: 651–642–0610Office of the Attorney GeneralCriminal Division525 Park Street, Suite 500St. Paul, MN 55103Phone: 651–297–1050Ramsey County Sheriff’s Department14 West Kellogg BoulevardSt. Paul, MN 55102Phone: 651–266–2797St. Paul Police DepartmentMinnesota Internet Crimes AgainstChildren Task Force367 Grove Street, Second FloorSaint Paul, MN 55101Phone: 651–266–5882E-mail: micac@ci.stpaul.mn.ushttp://www.ci.stpaul.mn.us/depts/police/icac/icac.htmlMississippiBiloxi Police Department170 Porter AvenueBiloxi, MS 39530Phone: 228–435–6100Fax: 228–374–1922Office of the Attorney GeneralPublic Integrity SectionP.O. Box 2Jackson, MS 39205Phone: 601–359–4250MissouriHeart of America Regional ComputerForensic Laboratory Office4150 North Mulberry Drive, Suite 250Kansas City, MO 64116–1696Phone: 816–584–4300http://www.harcfl.org/Office of the Attorney GeneralHigh Tech Crimes Unit207 West HighJefferson City, MO 65101Phone: 573–751–3321Office of the Attorney GeneralHigh Tech Crime Unit1530 Rax CourtJefferson City, MO 65109Phone: 816–889–5000127

SPECIAL REPORT / JAN. 07St. Louis Metropolitan PoliceDepartmentHigh Tech Crimes UnitSex Crimes and Child Abuse Unit1200 ClarkSt. Louis, MO 63103Phone: 314–444–5441http://stlcin.missouri.org/circuitattorney/sexcrimes.cfmMontanaMontana Division of CriminalInvestigationComputer Crime Unit303 North Roberts, Room 371Helena, MT 59620Phone: 406–444–3874E-mail: contactdoj@state.mt.usOffice of the Attorney GeneralLegal Services Division215 North SandersHelena, MT 59620Phone: 406–444–2026Office of the Attorney GeneralComputer Crime Unit303 North Roberts, Room 361Helena, MT 59620Phone: 406–444–3875NebraskaLincoln Police Department575 South 10th StreetLincoln, NE 68508Phone: 402–441–7587E-mail: lpd@cjis.ci.lincoln.ne.usNebraska State PatrolInternet Crimes Against Children Unit4411 South 108th StreetOmaha, NE 68137Phone: 402–595–2410Fax: 402–595–3303http://www.nsp.state.ne.us/findfile.asp?id2=52Office of the Attorney General2115 State CapitolP.O. Box 98930Lincoln, NE 68509Phone: 402–471–4794NevadaCity of Reno Police DepartmentComputer Crimes Unit455 East Second Street (street address)Reno, NV 89502P.O. Box 1900 (mailing address)Reno, NV 89505Phone: 775–334–2107Fax: 775–785–4026Las Vegas Metropolitan PoliceDepartmentLas Vegas Regional Internet CrimesAgainst Children Task Force3010 West Charleston, #120Las Vegas, NV 89102Phone: 702–229–3599http://www.lvicac.comOffice of the Attorney General100 North Carson StreetCarson City, NV 89701Phone: 775–684–1100Office of the Attorney GeneralNevada Cyber Crime Task Force5420 Kietzke Lane, Suite 202Reno, NV 89511Phone: 775–688–1818New HampshireNew Hampshire State Police ForensicLaboratoryComputer Crimes Unit10 Hazen DriveConcord, NH 03305Phone: 603–271–0300http://www.state.nh.us/safety/infotech/index.html128

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSOffice of the Attorney General33 Capitol StreetConcord, NH 03301–6397Phone: 603–271–3671Office of Juvenile Justice andDelinquency PreventionInternet Crimes Against Children TaskForce Training and Technical AssistanceUniversity of New Hampshire Crimes Against Children Research Center, West Edge7 Leavitt LaneDurham, NH 03824Phone: 603–862–7031http://www.unh.edu/ccrc/NJOV_info_page.htmPortsmouth Police DepartmentInternet Crimes Against Children Task Force3 Junkins AvenuePortsmouth, NH 03801Phone: 603–427–1500http://www.ci.keene.nh.us/police/task_force.htmNew JerseyNew Jersey Division of Criminal JusticeComputer Analysis and Technology Unit25 Market StreetP.O. Box 085Trenton, NJ 08625–0085Phone: 609–984–5256/609–984–6500http://www.state.nj.us/lps/dcj/catu/catunit.htmNew Jersey Regional ComputerForensic Laboratory OfficeNJSP Technology Center1200 Negron DriveHamilton, NJ 08691Phone: 609–584–5051, ext. 5676http://www.njrcfl.org/New Jersey State PoliceHigh Tech Crimes UnitP.O. Box 7068West Trenton, NJ 08628Phone: 609–882–2000, ext. 2904http://www.njsp.orgOcean County Prosecutor’s OfficeSpecial Investigations Unit/Computer CrimesP.O. Box 2191Toms River, NJ 08754Phone: 732–929–2027, ext. 4014Fax: 732–240–3338New MexicoNew Mexico Gaming Control BoardInformation Systems Division6400 Uptown Boulevard N.E., Suite 100EAlbuquerque, NM 87110Phone: 505–841–9719http://www.nmgcb.org/divisions/infosysOffice of the Attorney GeneralP.O. Drawer 1508Sante Fe, NM 87504–1508Phone: 505–827–6000Office of the Attorney General111 Lomas N.W., Suite 300Albuquerque, NM 87102Phone: 505–222–9000Twelfth Judicial DistrictAttorney’s Office1000 New York Avenue, Room 301Alamogordo, NM 88310Phone: 505–437–3640, ext. 110New YorkErie County Sheriff’s OfficeComputer Crime Unit134 West EagleBuffalo, NY 14202Phone: 716–858–6889http://www.erie.gov/sheriff/ccu.asp129

SPECIAL REPORT / JAN. 07Nassau County Police DepartmentComputer Crime Section970 Brush Hollow RoadWestbury, NY 11590Phone: 516–573–5275New York State Attorney General’sOfficeInternet Bureau120 BroadwayNew York, NY 10271Phone: 212–416–6344http://www.oag.state.ny.us/internet/internet.htmlNew York State Department of Taxationand FinanceOffice of Deputy Inspector GeneralBuilding 9, Room 481Albany, NY 12227Phone: 518–485–8698New York State PoliceComputer Crime UnitForensic Investigation CenterBuilding 30, State Campus1220 Washington AvenueAlbany, NY 12226Phone: 518–457–5712Fax: 518–402–2773E-mail: nyspccu@troopers.state.ny.ushttp://www.troopers.state.ny.us/Criminal_Investigation/Computer_Crimes/http://www.troopers.state.ny.us/Criminal_Investigation/Internet_Crimes_Against_ChildrenRockland County Sheriff’s DepartmentComputer Crime Task Force27 New Hempstead RoadNew City, NY 10956Phone: 845–708–7860/845–638–5836Fax: 845–708–7821E-mail: info@rocklandcomputercops.comNorth CarolinaNorth Carolina State Bureau ofInvestigationP.O. Box 25099Raleigh, NC 27611Phone: 919–716–0000http://www.ncsbi.govOffice of the Attorney GeneralLaw Enforcement and Prosecution DivisionP.O. Box 629Raleigh, NC 27602Phone: 919–716–6500Raleigh Police Department110 South McDowell StreetRaleigh, NC 27601Phone: 919–890–3555North DakotaNorth Dakota Bureau of CriminalInvestigationCybercrime UnitP.O. Box 1054Bismarck, ND 58502–1054Phone: 701–328–5500E-mail: BCIinfo@state.nd.usOhioCuyahoga County Prosecutor’s Office1200 Ontario Street, Ninth FloorCleveland, OH 44115Phone: 216–443–7825http://prosecutor.cuyahogacounty.us/internet_safety.aspHamilton County Ohio Sheriff’s OfficeJustice Center1000 Sycamore Street, Room 110Cincinnati, OH 45202Phone: 513–946–6685Fax: 513–946-6690http://www.hcso.org130

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSMiami Valley Regional ComputerForensic Laboratory OfficeFederal Building200 West Second StreetDayton, OH 45402Phone: 937–512–1913Fax: 937–512–1950http://www.mvrcfl.org/Office of the Attorney GeneralBureau of Criminal InvestigationComputer Crime Unit1560 State Route 56London, OH 43140Phone: 740–845–2410Office of the Attorney GeneralComputer Crime Task Force140 East Town Street, 14th FloorColumbus, OH 43215–6001Phone: 614–644–7233Riverside Police Department1791 Harshman RoadRiverside, OH 45424Phone: 937–233–1801E-mail: police@riverside.oh.usOklahomaOklahoma Attorney General4545 North Lincoln Boulevard, Suite 260Oklahoma City, OK 73105–3498Phone: 405–521–4274E-mail: okoag@oag.state.ok.usOklahoma State Bureau of InvestigationComputer Crime Unit6600 North HarveyOklahoma City, OK 73116Phone: 405–427–5421http://www.osbi.state.ok.us/Inv.htmlOregonEugene Police DepartmentFinancial Crimes Unit777 Pearl Street, Room 107Eugene, OR 97401Phone: 541–682–2682Northwest Regional Computer ForensicLaboratory Office1201 Northeast Lloyd Boulevard, Suite 600Portland, OR 97237Phone: 503–224–4181http://www.nwrcfl.org/Office of the Attorney General1162 Court Street N.E.Salem, OR 97301Phone: 503–378–6347Portland Police BureauComputer Crimes Detail1115 S.W. Second AvenuePortland, OR 97204Phone: 503–823–0871Washington County Sheriff’s Office215 S.W. Adams Avenue, MS32Hillsboro, OR 97123Phone: 503–846–2733Fax: 503–846–2637http://www.co.washington.or.us/sheriff/investig/fraud.htmPennsylvaniaAllegheny County Police DepartmentHigh Tech Crime Unit400 North Lexington StreetPittsburgh, PA 15208Phone: 412–473–3000Fax: 412–473–3332131

SPECIAL REPORT / JAN. 07Delaware County District Attorney’sOfficeInternet Crimes Against ChildrenTask ForceMedia Courthouse CIDMedia, PA 19063Phone: 610–891–4709http://www.delcoicac.com/home.htmlErie County District Attorney’s OfficeErie County Courthouse140 West Sixth StreetErie, PA 16501Phone: 814–451–6349Fax: 814–451–6419Office of Attorney GeneralComputer Forensics Unit106 Lowthar StreetLemoyne, PA 17043Phone: 717–712–2023Office of Attorney GeneralComputer Forensics Section2490 Boulevard of the GeneralsNorristown, PA 19403Phone: 610–631–5937Pennsylvania State PoliceComputer Crimes Unit1800 Elmerton AvenueHarrisburg, PA 17110Phone: 717–772–7631Rhode IslandDepartment of the Attorney GeneralCriminal Division150 South Main StreetProvidence, RI 02903Phone: 401–274–4400Warwick Police DepartmentBCI Unit, Detective Division99 Veterans Memorial DriveWarwick, RI 02886Phone: 401–468–4200E-mail:WPDDetectives@warwickri.comSouth CarolinaSouth Carolina Attorney General’sOfficeInternet Crimes Against ChildrenP.O. Box 11549Columbia, SC 29211Phone: 803–734–6151E-mail: info@sckidsonline.comhttp://www.sckidsonline.comSouth Carolina Law EnforcementDivisionP.O. Box 21398Columbia, SC 29221–1398Phone: 803–896–2277http://www.sled.state.sc.us/Winthrop University Campus PoliceDepartment of Public Safety02 Crawford BuildingRock Hill, SC 29733Phone: 803–323–3333South DakotaOffice of the Attorney General500 East CapitalPierre, SD 57501–5070Phone: 605–773–3215Office of the Attorney GeneralCriminal DivisionBox 70Robin City, SD 57709Phone: 605–394–2258TennesseeHarriman Police Department130 Pansy Hill RoadHarriman, TN 37748Phone: 865–882–3383Fax: 865–882–0700E-mail: crimeseen@earthlink.net132

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSKnox County Sheriff’s Office400 West Main AvenueKnoxville, TN 37902Phone: 865–971–3911E-mail: sheriff@esper.comKnoxville Police DepartmentInternet Crimes Against Children800 Howard Baker, Jr. AvenueKnoxville, TN 37915Phone: 865–215–7020http://www.ci.knoxville.tn.us/kpd/crimesvschildren.aspOffice of the Attorney GeneralComputer Forensic Unit425 Fifth Avenue, NorthNashville, TN 37243Phone: 615–532–5817Office of the Attorney General500 Charlotte AvenueNashville, TN 37243Phone: 615–741–4082TexasAustin Police Department715 East Eighth StreetAustin, TX 78701Phone: 512–974–5000Bexar County District Attorney’s Office300 DolorosaSan Antonio, TX 78205Phone: 210–335–2974/210–335–2991http://www.co.bexar.tx.us/da2/Dallas Police DepartmentComputer Crimes Team1400 South Lamar StreetDallas, TX 75215Phone: 214–671–3503http://www.dallaspolice.net/index.cfm?page_ID=4054&subnav=55Dallas Police DepartmentChild Exploitation Unit1400 South Lamar Street, Room 3N061Dallas, TX 75215Phone: 214–671–4211http://www.dallaspolice.net/index.cfm?page_ID=3114Federal Bureau of InvestigationDallas Field OfficeOne Justice WayDallas, TX 75220Phone: 972–559–5000E-mail: Dallas@FBI.govhttp://dallas.fbi.gov/dala.htmGreater Houston Regional ComputerForensic Laboratory Office2900 North Loop West, Ninth FloorHouston, TX 77092Phone: 713–316–7878http://www.ghrcfl.org/Houston Police Department1200 Travis StreetHouston, TX 77002Phone: 713–884–3131North Texas Regional ComputerForensic Laboratory Office301 North Market Street, #500Dallas, TX 75202–1878Phone: 972–559–5800Fax: 972–559–5880http://www.ntrcfl.org/Office of the Attorney GeneralCyber Crimes UnitP.O. Box 12548Austin, TX 78711–2548Phone: 512–936–2899Portland Police Department902 Moore AvenuePortland, TX 78374Phone: 361–643–2546Fax: 361–643–5689133

SPECIAL REPORT / JAN. 07Texas Department of Public Safety5805 North Lamar Boulevard(street address)Austin, TX 78752–4422P.O. Box 4087 (mailing address)Austin, TX 78773–0001Phone: 512–424–2200/800–252–5402E-mail: specialcrimes@txdps.state.tx.ushttp://www.txdps.state.tx.us/ccrime.htmUtahIntermountain West Regional ComputerForensic Laboratory Office257 East 200 South, Suite 1200Salt Lake City, UT 84111Phone: 801–579–1400http://www.iwrcfl.org/Utah Department of Public SafetyCriminal Investigations Bureau,Forensic Computer Lab5272 South College Drive, Suite 200Murray, UT 84123Phone: 801–955–2100http://sbi.utah.gov/compforensic/Utah Office of Attorney GeneralUtah Internet Crimes Against ChildrenTask Force257E 200 South, Suite 1200Salt Lake City, UT 84111Phone: 801–579–4530http://attorneygeneral.utah.gov/ICAC/icacmain.htmVermontChittenden Unit for SpecialInvestigationsInternet Crimes Against ChildrenTask Force50 Cherry Street, Suite 102Burlington, VT 05401Phone: 802–652–6800Office of the Attorney General109 State StreetMontpelier, VT 05609-1001Phone: 802–828–5512State of Vermont Department of PublicSafetyBureau of Criminal Investigation103 South Main StreetWaterbury, VT 05671–2101Phone: 802–244–8721/800–347–0488Fax: 802–241–5349http://www.dps.state.vt.us/vtsp/computer.htmlVermont Internet Crimes Task Force1 North AvenueBurlington, VT 05401Phone: 802–857–0092E-mail:info@vtinternetcrimes.orghttp://www.vtinternetcrimes.org/VirginiaArlington County Police DepartmentCriminal Investigations DivisionComputer Forensics1425 North Courthouse RoadArlington, VA 22201Phone: 703–228–4239Bedford County Sheriff’s OfficeInternet Crimes Against Children TaskForce1345 Falling Creek RoadBedford, VA 24523Phone: 540–586–4800http://www.blueridgethunder.comFairfax County Police DepartmentComputer Forensics Section4100 Chain Bridge RoadFairfax, VA 22030Phone: 703–246–7800Fax: 703–246–4253134

INVESTIGATIONS INVOLVING THE INTERNET AND COMPUTER NETWORKSNational Center for Missing & ExploitedChildren699 Prince StreetAlexandria, VA 22314Phone: 703–837–6337http://www.missingkids.comOffice of the Attorney GeneralComputer Crime Unit900 East Main StreetRichmond, VA 23219Phone: 804–659–3122Regional Computer Forensic LaboratoryNational Program OfficeEngineering Research FacilityAttn: RCFL National Program OfficeBuilding 27958–AQuantico, VA 22135Phone: 703–902–5502E-mail: info@nationalrcfl.orghttp://www.rcfl.gov/Richmond Police DepartmentTechnology Crimes Section200 West Grace StreetRichmond, VA 23220Phone: 804–646–3949Virginia Beach Police DepartmentSpecial Investigations CERU2509 Princess Anne RoadVirginia Beach, VA 23456Phone: 757–427–1749http://www.vbgov.com/dept/police/Virginia Department of Motor VehiclesLaw Enforcement SectionAssistant Special Agent in Charge945 Edwards Ferry RoadLeesburg, VA 20175Phone: 703–771–4757Virginia State PoliceHigh Tech Crimes UnitP.O. Box 27472Richmond, VA 23261Phone: 804–674–2000http://www.vsp.state.va.us/WashingtonKing County Sheriff’s OfficeFraud/Computer Forensic Unit401 Fourth Avenue North, RJC 104Kent, WA 98032–4429Phone: 206–296–4280http://www.metrokc.gov/sheriff/what/investigations/fraud.aspxLynnwood Police DepartmentHigh Tech Property Crimes 19321 44th Avenue West (street address) P.O. Box 5008 (mailing address)Lynnwood, WA 98046–5008Phone: 425–744–6900Fax: 425–672–6835E-mail: kmanser@ci.lynnwood.wa.usOffice of the Attorney GeneralHigh Tech Crimes Unit900 Fourth Avenue, Suite 2000Seattle, WA 98164Phone: 206–464–6430Seattle Police DepartmentInternet Crimes Against Children TaskForce610 Fifth AvenueSeattle, WA 98104Phone: 206–684–4351http://www.cityofseattle.net/police/Programs/ICAC/icac.htmTacoma Police DepartmentPCSO930 Tacoma Avenue SouthTacoma, WA 98402Phone: 253–591–5679E-mail: info@TacomaPolice.orgVancouver Police DepartmentComputer Forensics Specialist300 East 13th StreetVancouver, WA 98660Phone: 360–735–8887E-mail: ecrimes@ci.vancouver.wa.us135

SPECIAL REPORT / JAN. 07Washington State Department of Fishand Wildlife600 Capitol Way NorthOlympia, WA 98501Phone: 360–902–2276Washington State PatrolComputer Forensics UnitP.O. Box 2347Airdustrial Way, Building 17Olympia, WA 98507–2347Phone: 360–753–3277http://www.wsp.wa.gov/crime/iad.htmWest VirginiaOffice of the Attorney GeneralP.O. Box 1789Charleston, WV 25326–1789Phone: 304–558–8986WisconsinGreen Bay Police Department307 South Adams StreetPhone: 920–448–3200Green Bay, WI 54301http://www.gbpolice.org/inv/detectives.htmlMadison Police Department211 South Carroll StreetMadison, WI 53709Phone: 608–267–8824/608–266–4022Wisconsin Department of JusticeComputer Crimes UnitP.O. Box 7857Madison, WI 53707–7851Phone: 608–266–1221Wisconsin Department of JusticeDivision of Criminal Investigation17 West Main StreetMadison, WI 53702Phone: 608–267–1326http://www.doj.state.wi.us/dci/tech/#internetWood County Sheriff’s Department400 Market StreetWis Rapids, WI 54495Phone: 715–421–8700E-mail: wcsd@tznet.comWyomingCasper Police Department201 North DavidCasper, WY 82601Phone: 307–235–8225Gillette Police Department201 East Fifth StreetGillette, WY 82716Phone: 307–682–5109E-mail: lenf@ci.gillette.wy.usGreen River Police Department50 East Second NorthGreen River, WY 82935Phone: 307–872–0555E-mail: tjarvie@cityofgreenriver.org;dhyer@cityofgreenriver.orgWyoming Division of CriminalInvestigation316 West 22nd StreetCheyenne, WY 82002Phone: 307–777–7183Fax: 307–777–7252http://attorneygeneral.state.wy.us/dci/compfaq.htmlWyoming Division of CriminalInvestigationWyoming Internet Crimes Against ChildrenTask Force316 West 22nd StreetCheyenne, WY 82002Phone: 307–777–7806http://wyomingicac.net136

Appendix J. Legal Resources List American Prosecutors ResearchInstitute99 Canal Center Plaza, Suite 510Alexandria, VA 22314Phone: 703–549–9222Fax: 703–836–3195http://www.ndaa-apri.org/apri/National Association of AttorneysGeneral750 First Street N.E., Suite 1100Washington, DC 20002Phone: 202–326–6000Fax: 202–408–7014http://www.naag.orgU.S. Department of JusticeComputer Crime and Intellectual PropertySection10th & Constitution Avenue N.W.John C. Keeney Building, Suite 600Washington, DC 20530Phone: 202–514–1026http://www.cybercrime.gov137

Appendix K. List of Organizations The following is a list of organizationsto which a draft copy of this documentwas mailed.Alaska Criminal LaboratoryAmerica Online–Investigations and LawEnforcement AffairsAmerican Prosecutors Research InstituteAmerican Society of Law EnforcementTrainersBureau of Alcohol, Tobacco, Firearms andExplosives–Computer Forensics BranchCenter for Law and Computers, Chicago-Kent College of Law, Illinois Institute ofTechnologyChicago Regional Computer ForensicsLaboratoryComputer Forensics Inc.Computer Science andTelecommunications BoardCriminal Justice InstituteDrug Enforcement Administration–DigitalEvidence LaboratoryFederal Bar AssociationFederal Bureau of InvestigationFederal Law Enforcement TrainingCenter–Financial Fraud InstituteGeorgia Bureau of Investigation,Intelligence UnitHawaii County PoliceHeart of America Regional ComputerForensics LaboratoryIntermountain West Regional ComputerForensics LaboratoryMiami Valley Regional Computer ForensicsLaboratoryThe MITRE CorporationNational Center for Forensic ScienceNational Computer Security Association(TruSecure)National Law Enforcement andCorrections Technology Center–WestNew Jersey Regional Computer ForensicsLaboratoryNorth Texas Regional Computer ForensicsLaboratoryNorthwest Regional Computer ForensicsLaboratoryOhio Bureau of Criminal ID andInvestigationRegional Computer Forensic LaboratoryNational Program OfficeRocky Mountain Regional ComputerForensics LaboratorySan Diego Regional Computer ForensicLaboratorySilicon Valley Regional Computer ForensicLaboratorySocial Security Administration–Office ofthe Inspector General, Office ofInvestigationsU.S. Department of Defense Cyber CrimeCenterU.S. Department of Justice–ComputerCrime and Intellectual Property SectionU.S. Department of Justice–WesternDistrict of MichiganU.S. Naval Criminal Investigative ServiceU.S. Postal Service, Office of InspectorGeneral139

About the National Institute of JusticeNIJ is the research, development, and evaluation agency of the U.S. Department of Justice. NIJ’smission is to advance scientific research, development, and evaluation to enhance the administrationof justice and public safety. NIJ’s principal authorities are derived from the OmnibusCrime Control and Safe Streets Act of 1968, as amended (see 42 U.S.C. §§ 3721–3723).The NIJ Director is appointed by the President and confirmed by the Senate. The Director establishesthe Institute’s objectives, guided by the priorities of the Office of Justice Programs, theU.S. Department of Justice, and the needs of the field. The Institute actively solicits the views ofcriminal justice and other professionals and researchers to inform its search for the knowledgeand tools to guide policy and practice.Strategic GoalsNIJ has seven strategic goals grouped into three categories:Creating relevant knowledge and tools1. Partner with State and local practitioners and policymakers to identify social science researchand technology needs.2. Create scientific, relevant, and reliable knowledge—with a particular emphasis on terrorism,violent crime, drugs and crime, cost-effectiveness, and community-based efforts—to enhancethe administration of justice and public safety.3. Develop affordable and effective tools and technologies to enhance the administration ofjustice and public safety.To find out more about the NationalInstitute of Justice, please visit:http://www.ojp.usdoj.gov/nijor contact:National Criminal JusticeReference ServiceP.O. Box 6000Rockville, MD 20849–6000800–851–3420e-mail: askncjrs@ncjrs.orgDissemination4. Disseminate relevant knowledge and information to practitioners and policymakers in anunderstandable, timely, and concise manner.5. Act as an honest broker to identify the information, tools, and technologies that respond tothe needs of stakeholders.Agency management6. Practice fairness and openness in the research and development process.7. Ensure professionalism, excellence, accountability, cost-effectiveness, and integrity in themanagement and conduct of NIJ activities and programs.Program AreasIn addressing these strategic challenges, the Institute is involved in the following program areas:crime control and prevention, including policing; drugs and crime; justice systems and offenderbehavior, including corrections; violence and victimization; communications and informationtechnologies; critical incident response; investigative and forensic sciences, including DNA; lessthan-lethaltechnologies; officer protection; education and training technologies; testing andstandards; technology assistance to law enforcement and corrections agencies; field testing ofpromising programs; and international crime control.In addition to sponsoring research and development and technology assistance, NIJ evaluatesprograms, policies, and technologies. NIJ communicates its research and evaluation findingsthrough conferences and print and electronic media.

U.S. Department of JusticeOffice of Justice ProgramsNational Institute of JusticeWashington, DC 20531Official BusinessPenalty for Private Use $300*NCJ~210798*PRESORTED STANDARDPOSTAGE & FEES PAIDDOJ/NIJPERMIT NO. G–91JAN. 07MAILING LABEL AREA (5” x 2”)DO NOT PRINT THIS AREA(INK NOR VARNISH)NCJ 210798